Microsoft-Signed Tooling Used in LOTUSLITE Espionage Against India's Banking Sector

Severity: High (Score: 72.5)

Sources: Gbhackers, Cybersecuritynews

Summary

A new variant of the LOTUSLITE backdoor has been deployed against India's banking sector using a Microsoft-signed developer tool. Researchers attribute this campaign to the Mustang Panda espionage group, linked to Chinese state interests. The backdoor provides remote shell access and file operations, focusing on espionage rather than financial gain. The attack employs DLL sideloading to bypass security measures, exploiting the trust placed in Microsoft-signed binaries. This operation highlights vulnerabilities in trusted software that can be leveraged for state-sponsored cyber espionage. The full scope of the impact is still being assessed, but the targeted sector is critical to India's economy. Current mitigation strategies are not detailed in the articles. Ongoing investigations are expected to provide further insights into the attack vector and potential defenses. Key Points: • LOTUSLITE backdoor variant targets India's banking sector using Microsoft-signed binaries. • Attack method involves DLL sideloading to exploit trust in signed files. • Mustang Panda group, linked to Chinese state interests, is suspected in the operation.

Key Entities

• Mustang Panda (apt_group)
• Malware (attack_type)
• India (country)
• Lotuslite (malware)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)