Lotus Blossom APT

The Lotus Blossom APT is a threat actor that targets military and government entities in Asia with reconnaissance and data-exfiltrating campaigns. Like similar hacking groups, they may use customized or even exclusive threats, particularly, backdoor Trojans, starting with phishing exploits that expand into taking control of a compromised network. Users should abide by conventional safety guidelines for interacting with e-mail attachments and let their anti-malware products remove all threats related to the Lotus Blossom APT attacks.

Sightseeing a Garden Full of Security Risks

Similar to, but distinct from Vietnam's APT32 or OceanLotus operationally, the Lotus Blossom APT is another threat actor that favors breaking into networks and spying on their files and activities. Like APT32, APT37, or the Naikon APT, the Lotus Blossom APT also specializes in targeting nations in Asia. Over the years, the cyber-security industry has confirmation of Lotus Blossom APT attacks in the dozens, with many of them concerning repeated targets, like government entities in Taiwan, Vietnam and Indonesia.

Infection strategies by the Lotus Blossom APT adhere to the long-established norms of network-compromising operations for espionage motives. Most incidents begin with e-mail messages disguising themselves as legitimate communications, as follows:

• The victim receives an e-mail with an attached file that resembles a document, such as a DOC or RTF, with workplace-specific information like defense official employee lists. In some cases, the attachment is a real document; otherwise, it's an executable file with a misleading icon and extension.
• Opening the file, if it's a document, triggers a (usually, recently-dated) exploit for a loading component for a backdoor Trojan. If it's an EXE, it proceeds more directly to this attack, but also will hide the activity by launching a visually-distracting document.
• The final payload is, generally, a backdoor Trojan that provides downloading and uploading operations and system command-related functionality, a la the Elise Malware. The Lotus Blossom APT's backdoor Trojans tend to be custom-made, rather than third-party modifications.

From that point, the Lotus Blossom APT uses its Trojan for monitoring the PC, expanding control to other targets – like the rest of the network or a valuable employee contact – and exfiltrating intelligence such as passwords and files.

The Simplest of Pesticides for the Lotus Blossom APT

Some precautions will help users from falling into the phishing traps that threat actors like the Lotus Blossom APT use as a matter of routine inadvertently. Enabling visible extensions will help with identifying fake documents that are executable, among other tactics. Scanning downloaded attachments will offer an early chance at detecting threats of various formats before any backdoor Trojans come into play. Updates to Microsoft Word, Adobe's PDF Reader, and similar applications will patch many, if not every, vulnerability available to hackers. In most scenarios, users also can avoid attacks just by avoiding enabling the macro or 'advanced content' manually.

A Lotus Blossom APT compromise represents a threat to all network-connected systems and removable devices, along with the user's contacts. Disabling network connections, detaching devices like USBs, and changing passwords will help with limiting the propagation of the threat actor's Trojan utilities. While the Lotus Blossom APT uses Windows-specific backdoor Trojans, they may supplement these Trojans with secondary tools for other environments.

Anti-malware products from a trusted vendor are, as always, the recommendation for disinfecting systems and dealing with any software associated with a Lotus Blossom APT in a post-infection situation.

Despite a poetic name, the Lotus Blossom APT isn't beautiful in its operations particularly, save as a threat actor with technically-advanced ways of avoiding getting caught. With anti-virtual environment techniques supporting their payloads, these are hackers that will remain a challenge for threat analysis teams over the long term.