Abusing Windows Services for Persistence: Lotus Blossom's Sagerunex Backdoor
Abusing Windows services is a very common persistence technique. Usually adversaries just create a new service, but in some cases they may also modify existing services! Let's look at such example.
Cisco Talos presented a report on an espionage activity cluster they track as Lotus Blossom. The threat actors leverage reg.exe to modify registry keys related to services and enable persistence of Sagerunex backdoor: reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f
They operate a multi-phased attack chain beginning with Reconnaissance, whereby they collect intelligence on their targets, mostly within the government, manufacturing, telecommunications, and media domains in Southeast Asia. They then engage in Weaponization by developing malicious payloads, for instance, the Sagerunex backdoor, which is a DLL-based Remote Access Trojan (RAT). Delivery then comes into play where they send the payload to target systems via phishing emails or other social engineering methods. Exploitation is when the exploit is triggered on the target system to allow the attackers to gain the first level of access. Installation involves the Sagerunex backdoor being installed on the target system, usually achieving persistence through system registry changes and making it run as a service. Command and Control (C2) is maintained through both classic C2 servers and legitimate third-party cloud services such as Dropbox, Twitter, and Zimbra to avoid being detected. Lastly, Actions on Objectives encompass long-term network penetration, sensitive information exfiltration, and persistent monitoring of high-value targets.
reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f
Depending on your telemetry, you can also search for "ServiceDll" value modification events as well!