U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

OceanLotus APT is very active, it used new Backdoor in recent campaigns

The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks. The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia. The hackers targeting […]

OceanLotus backdoor

The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks.

The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape, Volexity researchers compared the APT with the dreaded s Russia-linked Turla APT.

The group is well-resourced, it continues to use along with old techniques.

“A great deal of research about this group was published last year, including
papers such as those from CyberReason, a lengthy global view from FireEye and the watering-hole explanation from Volexity. We see that this group keeps updating their backdoors, infrastructure, and infection vectors.” reads the analysis published by ESET.

“OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection.”

The threat actors started adopting a new backdoor that provides them with remote access and full control on the infected systems.

OceanLotus’s attack is carried on in two stages, in the first phase the hackers leverage a dropper, delivered via spear-phishing messages, to gain the initial foothold on the targeted system, then the malicious code prepares the stage for the backdoor.

“Over the past few months, a number of decoy documents have been used. One of them was a fake TrueType font updater for the Roboto Slab regular font. This choice of font seems a bit odd since it does not support a lot of East-Asian languages.” reads the analysis.

“When executed, this binary decrypts its resource (XOR with a 128-byte, hardcoded key) and decompresses the decrypted data (LZMA). The legitimate RobotoSlab-Regular.ttf file is written into the %temp% folder and run via Win32 API function ShellExecute.

The shellcode decrypted from the resource is executed. After its execution, the fake font updater drops another application whose sole purpose is to delete the dropper. This “eraser” application is dropped as %temp%\[0-9].tmp.exe.”

OceanLotus backdoor

Attackers also powered watering hole attacks using fake installers posing as updates for popular applications.

One of the installers used by the APT is the repackaged Firefox installer described by 360 Labs on Freebuf (Chinese language).

Researchers noticed that attackers’ dropper package includes several components, the whole process of installation and execution relies heavily on multiple layers of obfuscation to prevent detection. The dropper also included garbage code to avoid being detected and code designed to delete the bait document.

The dropper gain persistence by creating a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges.

The backdoor is able to execute tens of commands, including fingerprint the system, create a process, call the PE Loader, drop and execute a program and run shellcode in a new thread.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address.” concludes ESET.

“The encryption of the payload, together with the side-loading technique – despite
its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OceanLotus , APT)

[adrotate banner=”5″]

[adrotate banner=”13″]