{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/lotus-blossom/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lotus Blossom"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tiny C Compiler"],"_cs_severities":["high"],"_cs_tags":["tinycc","shellcode","svchost","lotus-blossom","chrysalis","t1059.003","t1027"],"_cs_type":"threat","_cs_vendors":["TinyCC"],"content_html":"\u003cp\u003eThe Lotus Blossom threat actor has been observed using a technique involving the Tiny C Compiler (TinyCC) to execute shellcode on compromised systems.  This technique involves renaming the legitimate \u003ccode\u003etcc.exe\u003c/code\u003e binary to \u003ccode\u003esvchost.exe\u003c/code\u003e to masquerade as a legitimate Windows process. The renamed compiler is then used to compile and execute C source files containing malicious shellcode. A key aspect of this attack is the use of the \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e flags when invoking the renamed \u003ccode\u003etcc.exe\u003c/code\u003e.  This behavior was specifically observed in the Chrysalis backdoor campaign, where the attackers executed \u003ccode\u003econf.c\u003c/code\u003e containing Metasploit block_api shellcode.  This technique allows attackers to bypass traditional security measures by leveraging a legitimate tool in an unexpected way and from unusual locations. The ability of TinyCC to compile and execute code on-the-fly makes it an attractive tool for attackers seeking to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (details not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker drops the Tiny C Compiler (tcc.exe) onto the compromised system, typically in a user-writable directory like AppData or Temp.\u003c/li\u003e\n\u003cli\u003eThe attacker renames \u003ccode\u003etcc.exe\u003c/code\u003e to \u003ccode\u003esvchost.exe\u003c/code\u003e to masquerade as a legitimate Windows process. This helps evade detection based on process names.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a C source file (e.g., \u003ccode\u003econf.c\u003c/code\u003e) containing malicious shellcode onto the system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed \u003ccode\u003esvchost.exe\u003c/code\u003e (originally tcc.exe) to compile and execute the C source file containing the shellcode. The command line includes the flags \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shellcode executes, performing malicious actions such as establishing a reverse shell, downloading additional payloads, or injecting into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established foothold to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, deploying ransomware, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system. This can lead to data theft, system compromise, and further propagation within the network.  The Lotus Blossom group has used this technique to install the Chrysalis backdoor. The number of victims and the sectors targeted by this specific campaign are not detailed in the provided source, but the technique is a significant threat to organizations due to its potential for stealth and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) and ensure command-line arguments are captured, to enable the rules above.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for processes named \u003ccode\u003esvchost.exe\u003c/code\u003e that are not located in the standard Windows system directories (\u003ccode\u003eC:\\\\Windows\\\\System32\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\\\\\u003c/code\u003e), as these are indicative of the renamed TinyCC binary based on the provided data and the detection logic.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003esvchost.exe\u003c/code\u003e or \u003ccode\u003etcc.exe\u003c/code\u003e processes executing with the \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e flags, especially when compiling \u003ccode\u003e.c\u003c/code\u003e files, using the detection logic in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of binaries from user-writable directories, mitigating the initial execution of the renamed compiler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/","summary":"Attackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.","title":"TinyCC Masquerading as Svchost for Shellcode Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/"},{"_cs_actors":["Lotus Blossom"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["persistence","defense-evasion","windows","anomaly"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the anomalous installation of a Windows service named \u0026quot;BluetoothService\u0026quot; from user-writable directories. The Lotus Blossom group used this technique in their Chrysalis backdoor campaign, creating a service that pointed to a malicious binary disguised as the Bitdefender Submission Wizard, located within a hidden AppData directory. This method bypasses standard security measures by mimicking legitimate service installation procedures but placing the malicious service executable in an unexpected location. Legitimate Bluetooth services in Windows are system services with binaries located in System32, making user-directory installations highly suspicious. Monitoring for this activity can help identify potential malware persistence mechanisms. This technique is used for persistence and defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (potentially through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable, masquerading as a legitimate application (e.g., renaming a binary to resemble a Bitdefender tool).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Windows service named \u0026quot;BluetoothService\u0026quot; (or \u0026quot;Bluetooth Service\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;ImagePath\u0026quot; of this service is set to point to the malicious executable located in a user-writable directory (e.g., %AppData%, %ProgramData%, %Temp%, or a user-specific Bluetooth folder).\u003c/li\u003e\n\u003cli\u003eThe service is configured to start automatically, ensuring persistence across reboots.\u003c/li\u003e\n\u003cli\u003eWhen the system starts, the malicious \u0026quot;BluetoothService\u0026quot; executes the attacker's code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the service to establish a backdoor for remote access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistence on the compromised system, enabling them to maintain unauthorized access even after reboots. This can lead to data theft, system compromise, and further propagation of the attack within the network. The Lotus Blossom group has historically targeted organizations in the aerospace, defense, and high-tech sectors, and similar campaigns could result in significant intellectual property loss and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Windows Event Log (Event ID 7045) for service creation events, focusing on services named \u0026quot;BluetoothService\u0026quot; or \u0026quot;Bluetooth Service\u0026quot; (data_source).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the creation of \u0026quot;BluetoothService\u0026quot; with an \u0026quot;ImagePath\u0026quot; pointing to user-writable directories (%AppData%, %ProgramData%, %Temp%, %Users%*\\Bluetooth) (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u0026quot;BluetoothService\u0026quot; being created from unusual locations, comparing the binary against known good software (rules).\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security configurations to prevent unauthorized service creation in user-writable directories (T1543.003).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of running executables from untrusted sources and the dangers of social engineering tactics (T1036).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-bluetooth-service-anomaly/","summary":"The creation of a Windows service named 'BluetoothService' with a binary path in user-writable directories, such as %AppData%, indicates potential malware persistence, as seen in the Lotus Blossom Chrysalis backdoor campaign.","title":"Suspicious Bluetooth Service Installation from Uncommon Location","url":"https://feed.craftedsignal.io/briefs/2024-01-bluetooth-service-anomaly/"},{"_cs_actors":["Lotus Blossom"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Bitdefender Submission Wizard"],"_cs_severities":["high"],"_cs_tags":["rundll32","dll-sideloading","lotus-blossom","chrysalis-backdoor"],"_cs_type":"threat","_cs_vendors":["Microsoft","Bitdefender"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003erundll32.exe\u003c/code\u003e to execute malicious DLLs, specifically \u003ccode\u003elog.dll\u003c/code\u003e, a technique associated with the Lotus Blossom group's Chrysalis backdoor. The attacker places a rogue \u003ccode\u003elog.dll\u003c/code\u003e in a location such as \u003ccode\u003e%AppData%\\Bluetooth\u003c/code\u003e and leverages \u003ccode\u003erundll32.exe\u003c/code\u003e to invoke a specific function within the DLL (e.g., \u003ccode\u003eLogInit\u003c/code\u003e). This execution decrypts and runs shellcode. While some legitimate applications like the Bitdefender Submission Wizard also use \u003ccode\u003elog.dll\u003c/code\u003e, they are susceptible to DLL sideloading attacks, making this detection crucial for identifying malicious activity that bypasses traditional defenses. This campaign was first reported in 2026 and continues to be a relevant threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, often through social engineering or exploiting software vulnerabilities (not specified in source).\u003c/li\u003e\n\u003cli\u003eA malicious \u003ccode\u003elog.dll\u003c/code\u003e is placed in a writable directory, such as \u003ccode\u003e%AppData%\\Bluetooth\u003c/code\u003e, mimicking a legitimate DLL location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the malicious \u003ccode\u003elog.dll\u003c/code\u003e with a specific function call (e.g., \u003ccode\u003erundll32.exe log.dll,LogInit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRundll32.exe\u003c/code\u003e loads and executes the \u003ccode\u003elog.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLogInit\u003c/code\u003e function in \u003ccode\u003elog.dll\u003c/code\u003e decrypts embedded shellcode.\u003c/li\u003e\n\u003cli\u003eThe shellcode is injected into a legitimate process or executed directly, establishing persistence or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe injected shellcode connects to a command-and-control (C2) server to download additional payloads or receive instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the compromised system, such as data exfiltration, lateral movement, or installing additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and the installation of persistent backdoors. The Lotus Blossom group has been known to target organizations across various sectors. The ability to bypass traditional security measures through DLL sideloading makes this a high-impact threat. Even legitimate software can become an attack vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRundll32 Execution with Log.DLL\u003c/code\u003e to detect malicious \u003ccode\u003erundll32.exe\u003c/code\u003e executions using \u003ccode\u003elog.dll\u003c/code\u003e (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003erundll32.exe\u003c/code\u003e process executions with \u003ccode\u003elog.dll\u003c/code\u003e as a command-line argument, especially when originating from unusual paths (Sigma rule \u003ccode\u003eRundll32 Execution with Log.DLL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious file creations or modifications in \u003ccode\u003e%AppData%\\Bluetooth\u003c/code\u003e or other common DLL sideloading locations (logsource: file_event).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e from untrusted locations.\u003c/li\u003e\n\u003cli\u003eAudit systems for DLL sideloading vulnerabilities in legitimate applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-logdll/","summary":"Detects the execution of rundll32 with 'log.dll' as a command-line argument, indicative of Lotus Blossom Chrysalis backdoor activity and DLL sideloading attempts.","title":"Rundll32 Execution with Log.DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-logdll/"},{"_cs_actors":["Lotus Blossom"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bitdefender Submission Wizard"],"_cs_severities":["high"],"_cs_tags":["dll-sideloading","persistence","privilege-escalation","lotus-blossom","sysmon"],"_cs_type":"threat","_cs_vendors":["Bitdefender"],"content_html":"\u003cp\u003eThis threat brief addresses the potential DLL side-loading attack targeting Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe). The attack involves a malicious actor placing a rogue log.dll in a directory where the legitimate Bitdefender executable will load it, thus executing attacker-controlled code. This technique is associated with the Lotus Blossom group (G0065). The observed activity relies on exploiting the DLL search order to execute arbitrary code. Defenders should monitor for instances of BDSubmit.exe, bdsw.exe, or BluetoothService.exe loading log.dll from unexpected paths outside of standard installation directories such as \u0026quot;Program Files\u0026quot; or \u0026quot;Windows\\System32\u0026quot;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (method unspecified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable executable, such as BDSubmit.exe or bdsw.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious log.dll.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious log.dll in the same directory as the Bitdefender executable, or in a directory that takes precedence in the DLL search order.\u003c/li\u003e\n\u003cli\u003eA user executes the legitimate Bitdefender Submission Wizard executable (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe).\u003c/li\u003e\n\u003cli\u003eThe legitimate application attempts to load log.dll. Due to DLL side-loading, the malicious log.dll is loaded instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious log.dll executes attacker-controlled code within the context of the Bitdefender Submission Wizard process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution for persistence or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through DLL side-loading allows attackers to execute arbitrary code within a trusted process. This can lead to privilege escalation, persistence, and potentially complete system compromise. Specific impacts include unauthorized access to sensitive data, installation of malware, and lateral movement within the network. The Lotus Blossom group has been known to use similar techniques to deploy backdoors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon ImageLoad events (EventCode 7) to monitor DLL loading activity and ensure the Splunk Add-on for Sysmon is configured to parse them as described in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Bitdefender Submission Wizard DLL Sideloading\u0026quot; to detect instances where log.dll is loaded from a non-standard path, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided detection rule, focusing on the \u0026quot;dest\u0026quot; and \u0026quot;User\u0026quot; fields as described in the \u0026quot;drilldown_searches\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of BDSubmit.exe, bdsw.exe, or BluetoothService.exe from unusual locations or with unusual command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview and harden DLL search order configurations to prevent side-loading attacks (T1574.002).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-bitdefender-dll-sideloading/","summary":"Detection of potential DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) via loading a malicious log.dll from a non-standard path.","title":"Bitdefender Submission Wizard DLL Sideloading","url":"https://feed.craftedsignal.io/briefs/2024-01-02-bitdefender-dll-sideloading/"}],"language":"en","title":"CraftedSignal Threat Feed - Lotus Blossom","version":"https://jsonfeed.org/version/1.1"}