Spring Dragon APT used more than 600 Malware samples in different attacks

According to a new report published by Kaspersky Lab, the China-linked APT group Spring Dragon (aka Lotus Blossom, Elise, and Esile) has used more than 600 malware samples in its attacks over the past years.

The Spring Dragon APT group is a state-sponsored group that has been around since at least 2012, but further evidence collected by the researchers suggests that it may have been active since 2007.

The APT group focused its cyber espionage campaigns on military and government organizations in Southeast Asia.

Spring Dragon is known for spear phishing and watering hole attacks, malware researchers at Kaspersky Lab collected a large set composed of more than 600 malware samples used in different attacks.

The APT group has a huge cyber arsenal, it has been developing and updating its range of tools throughout across the years. The hackers have various backdoor modules with unique characteristics and functionalities, it manages a large Command and Control infrastructure that includes more than 200 unique IP addresses and C&C domains.

Most C&C servers used by Spring Dragon are located in Hong Kong and the United States, other servers have also been found in Germany, China and Japan.

“The large number of samples which we have managed to collect have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system. This is designed to make detection more difficult.” continues the analysis.

“All the backdoor modules in the APT’s toolset are capable of downloading more files onto the victim’s machine, uploading files to the attacker’s servers, and also executing any executable file or any command on the victim’s machine. These functionalities enable the attackers to undertake different malicious activities on the victim’s machine.”

The analysis of the malware compilation timestamps revealed that attackers might be in the GMT+8 time zone, the same of countries like China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.

Another interesting information emerged from the analysis is that the malware has been compiled by two different groups, one of which may be in Europe.

“It also suggests that either there is a second group working another shift in the same time zone or the attackers are cross-continental and there is another group, possibly in Europe. The uneven distribution of timestamps (low activity around 10am, 7-8pm UTC) suggests that the attackers didn’t change the timestamps to random or constant values and they might be real.” states the analysis.

“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cyber espionage, Spring Dragon APT)

[adrotate banner=”13″]