Lotus Blossom APT

Posted: May 11, 2020

Lotus Blossom APT Description

The Lotus Blossom APT is a threat actor that targets military and government entities in Asia with reconnaissance and data-exfiltrating campaigns. Like similar hacking groups, they may use customized or even exclusive threats, particularly, backdoor Trojans, starting with phishing exploits that expand into taking control of a compromised network. Users should abide by conventional safety guidelines for interacting with e-mail attachments and let their anti-malware products remove all threats related to the Lotus Blossom APT attacks.

Sightseeing a Garden Full of Security Risks

Similar to, but distinct from Vietnam's APT32 or OceanLotus operationally, the Lotus Blossom APT is another threat actor that favors breaking into networks and spying on their files and activities. Like APT32, APT37, or the Naikon APT, the Lotus Blossom APT also specializes in targeting nations in Asia. Over the years, the cyber-security industry has confirmation of Lotus Blossom APT attacks in the dozens, with many of them concerning repeated targets, like government entities in Taiwan, Vietnam and Indonesia.

Infection strategies by the Lotus Blossom APT adhere to the long-established norms of network-compromising operations for espionage motives. Most incidents begin with e-mail messages disguising themselves as legitimate communications, as follows:

  • The victim receives an e-mail with an attached file that resembles a document, such as a DOC or RTF, with workplace-specific information like defense official employee lists. In some cases, the attachment is a real document; otherwise, it's an executable file with a misleading icon and extension.
  • Opening the file, if it's a document, triggers a (usually, recently-dated) exploit for a loading component for a backdoor Trojan. If it's an EXE, it proceeds more directly to this attack, but also will hide the activity by launching a visually-distracting document.
  • The final payload is, generally, a backdoor Trojan that provides downloading and uploading operations and system command-related functionality, a la the Elise Malware. The Lotus Blossom APT's backdoor Trojans tend to be custom-made, rather than third-party modifications.

From that point, the Lotus Blossom APT uses its Trojan for monitoring the PC, expanding control to other targets – like the rest of the network or a valuable employee contact – and exfiltrating intelligence such as passwords and files.

The Simplest of Pesticides for the Lotus Blossom APT

Some precautions will help users from falling into the phishing traps that threat actors like the Lotus Blossom APT use as a matter of routine inadvertently. Enabling visible extensions will help with identifying fake documents that are executable, among other tactics. Scanning downloaded attachments will offer an early chance at detecting threats of various formats before any backdoor Trojans come into play. Updates to Microsoft Word, Adobe's PDF Reader, and similar applications will patch many, if not every, vulnerability available to hackers. In most scenarios, users also can avoid attacks just by avoiding enabling the macro or 'advanced content' manually.

A Lotus Blossom APT compromise represents a threat to all network-connected systems and removable devices, along with the user's contacts. Disabling network connections, detaching devices like USBs, and changing passwords will help with limiting the propagation of the threat actor's Trojan utilities. While the Lotus Blossom APT uses Windows-specific backdoor Trojans, they may supplement these Trojans with secondary tools for other environments.

Anti-malware products from a trusted vendor are, as always, the recommendation for disinfecting systems and dealing with any software associated with a Lotus Blossom APT in a post-infection situation.

Despite a poetic name, the Lotus Blossom APT isn't beautiful in its operations particularly, save as a threat actor with technically-advanced ways of avoiding getting caught. With anti-virtual environment techniques supporting their payloads, these are hackers that will remain a challenge for threat analysis teams over the long term.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Lotus Blossom APT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.