Espionage group uses cybersecurity conference invite as a lure

A cyber espionage group that has been targeting organizations in Southeast Asia for years is misusing a legitimate conference invite as a phishing lure to trigger the download of backdoor malware.

Decoy document - conference invite phishing lure

The APT in question is Lotus Blossom, and the security conference is Palo Alto Networks’ CyberSecurity Summit that is scheduled to take place in Jakarta, Indonesia, on November 3.

About Lotus Blossom

Lotus Blossom is a group that has been operating at least since 2009, and possibly even earlier. Their predilection for spear-phishing emails with an ever-changing array of lures is well-known. They usually deliver custom Trojan backdoors (Elise, Emissary) to the target system.

Over the years, the group has been linked to a variety of targets in Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia.

The effectiveness of their approach is evident – they wouldn’t continue using spear-phishing emails if they didn’t work.

About the newest campaign

“Palo Alto Networks hosts cyber security summits all over the world, and in many cases we send invitations via email to individuals we believe would be interested in attending,” Palo Alto Networks’ researchers Robert Falcone explained.

It’s possible and likely that the Lotus Blossom team had access to an inbox that received the invite via email, or that they received the email themselves.

They took a screenshot of the image in the legitimate invite’s message body, a screenshot of the summit’s agenda, and combined the two images into a decoy Word document named [FREE INVITATIONS] CyberSecurity Summit.doc.

The researchers weren’t able to get a look at the attack emails, but believe the document is delivered as an attachment. Once opened, it shows the decoy Word document while attempting to exploit an old MS Office vulnerability (CVE-2012-0158) to deliver the backdoor Trojan in the background.

By analyzing the decoy document, the researchers discovered some things about the system on which the attackers created it.

“The threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese. The ‘CH’ icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese,” Falcone shared.

“Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.”

At the moment, it’s impossible to known how effective this spear-phishing campaign was, but Palo Alto Networks has temporarily suspended the sending of email invites for the summit.

They also advised recipients of previous and future related emails to scrutinize them to determine if they were sent by the Lotus Blossom threat actors.