WHAT’S THE STORY?
After the first attack in 2015, a new form of the Elise malware has been identified by the iDefense team in Accenture Security. The well-known threat group called DRAGONFISH—also known as Lotus Blossom—is distributing a new form of the malware targeting organizations for espionage purposes.
The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia, specifically those located in countries near the South China Sea. These attacks have mainly targeted high-profile government, military and political institutions, but other victims include those operating in the education and telecommunication industries. iDefense analysts have identified a campaign likely to be targeting members of—or those with affiliation or interest in—the ASEAN Defence Ministers’ Meeting (ADMM).
WHAT CAN YOU DO?
To mitigate the threat of the described campaign, security teams can consider blocking access to the C2 server 103.236.150[.]14 and, where applicable, ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability. For threat hunting, iDefense also suggests that analysts look for the following artefacts:
A value named IAStorD in the autorun key
A file named FXSAPIDebugLogFile.tmp
A mutex handle named donotbotherme
thumbcache_1CD60.db in AppData\Local\Microsoft\Windows\Explorer\