Spring Dragon targeting high profile entities around South China Sea.
Spring Dragon targeting high profile entities around South China Sea.

The Chinese speaking ATP group Spring Dragon, a.k.a., LotusBlossom, has increased attacks against high-profile organizations around the South China Sea.

Kaspersky researchers managed to collect more than 600 samples of malware from the group suggesting they are operating on a massive scale.

The group is known for using spearphishing and watering hole techniques to target governmental organizations and political parties, educational institutions, as well as companies from the telecommunications sector, according to a July 24 blog post.

Researchers said the threat actors behind the campaigns have been developing and updating their range of tools, which consists of various backdoor modules with unique characteristics and functionalities, throughout the years.

The threat actors own a large C2 infrastructure which comprises more than 200 unique IP addresses and C2 domains and all the backdoor modules in the APT's toolset are capable of downloading more files onto the victim's machine, uploading files to the attacker's servers, and also executing any executable file or any command on the victim's machine, researchers said.

"The main tools in the attackers' toolset are backdoor modules, with a customized set of command and control servers and also customized file names, service names and description for each sample," Kaspersky Senior Security Researcher Noushin Shabab told SC Media "This means that each malware sample has different detection characteristics in terms of IOCs. So the best protection mechanism is using a reliable YARA rule."

The group also uses registered domain names and used IP addresses from different geographical locations to hide their own location. Researchers traced more than 40 percent of the C2 servers used in the APT group's operations in Hong Kong followed by significant activity in the U.S., Germany, China and Japan.

Researchers estimate the malware developers are in the GMT +8 time zone assuming they work from 9 am to 5 pm and believe there is a second group working another shift in the same time zone or that the attackers are cross-continental and there is another group possibly in Europe.

"The attackers initially started with attacks on governmental organizations and political parties in Vietnam, Taiwan, Philippines and Indonesia," Shabab said. "They then gradually expanded the scope of their attacks to other countries in this region, and into other sectors like telecommunications and education." 

In 2016, the Group launched a cyberespionage campaign using fake invitations to the Palo Alto Networks Cybersecurity Summit.