Security Week on the “Lotus Blossom” cyber espionage campaign that stretches back three years, according to Palo Alto Networks research:
“The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests,” according to a report from Palo Alto Networks’ Unit 42 team. “The spear phishing attachment typically includes exploit code for a well-known Microsoft Office vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly.”
The attackers used a backdoor Trojan named Elise after the sports car made by Group Lotus PLC of the United Kingdom. The tool appears to be unique to the group, and has morphed over time.
“A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices,” according to the research. “Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy.”