The Rapid 7 post says if you have a hidden folder in “%AppData%” named Bluetooth. You got hacked. So if you don’t have said folder, you’re good.
Their post says that the Bluetooth hidden folder in AppData was only used as the initial access vector.
After initial access, an advanced persistent backdoor they’ve named “Chrysalis” is delivered and installed via significantly obfuscated methods to minimize chance of detection. The backdoor allows arbitrary code execution via a CMD.exe reverse shell, with additional modes for remote file write, read, and a full self-removal mechism that attempts to delete any trace it was ever on the system.
The Indicators of compromise section at the bottom contains a list of any files you can check for on your system, and their corresponding SHA-256 values, as well as network indicators if you have logging or wish to check your DNS cache. If you have any files that match or other indicators, then your system is/was compromised. But there is a very good chance that many systems which were compromised now have no remaining trace of breech.
I think its unlikely most people were infected as the article makes it sound like they were focused on targeting specific individuals / organizations.
This advice is not accurate:
Their post says that the Bluetooth hidden folder in AppData was only used as the initial access vector.
After initial access, an advanced persistent backdoor they’ve named “Chrysalis” is delivered and installed via significantly obfuscated methods to minimize chance of detection. The backdoor allows arbitrary code execution via a CMD.exe reverse shell, with additional modes for remote file write, read, and a full self-removal mechism that attempts to delete any trace it was ever on the system.
The Indicators of compromise section at the bottom contains a list of any files you can check for on your system, and their corresponding SHA-256 values, as well as network indicators if you have logging or wish to check your DNS cache. If you have any files that match or other indicators, then your system is/was compromised. But there is a very good chance that many systems which were compromised now have no remaining trace of breech.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/