What's the story?

After the first attack in 2015, a new form of the Elise malware has been identified by the iDefense team in Accenture Security. The well-known threat group called DRAGONFISH—also known as Lotus Blossom—is distributing a new form of the malware targeting organizations for espionage purposes.

Download the Threat Analysis Technical Report [PDF]

The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia, specifically those located in countries near the South China Sea. These attacks have mainly targeted high-profile government, military and political institutions, but other victims include those operating in the education and telecommunication industries. iDefense analysts have identified a campaign likely to be targeting members of—or those with affiliation or interest in—the ASEAN Defence Ministers’ Meeting (ADMM).

What can you do?

To mitigate the threat of the described campaign, security teams can consider blocking access to the C2 server 103.236.150[.]14 and, where applicable, ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability. For threat hunting, iDefense also suggests that analysts look for the following artefacts:

  • A value named IAStorD in the autorun key
  • A file named FXSAPIDebugLogFile.tmp
  • A mutex handle named donotbotherme
  • thumbcache_1CD60.db in AppData\Local\Microsoft\Windows\Explorer\

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog