OceanLotus APT is very active, it used new Backdoor in recent campaigns

The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks.

The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape, Volexity researchers compared the APT with the dreaded s Russia-linked Turla APT.

The group is well-resourced, it continues to use along with old techniques.

“A great deal of research about this group was published last year, including
papers such as those from CyberReason, a lengthy global view from FireEye and the watering-hole explanation from Volexity. We see that this group keeps updating their backdoors, infrastructure, and infection vectors.” reads the analysis published by ESET.

“OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection.”

The threat actors started adopting a new backdoor that provides them with remote access and full control on the infected systems.

OceanLotus’s attack is carried on in two stages, in the first phase the hackers leverage a dropper, delivered via spear-phishing messages, to gain the initial foothold on the targeted system, then the malicious code prepares the stage for the backdoor.

“Over the past few months, a number of decoy documents have been used. One of them was a fake TrueType font updater for the Roboto Slab regular font. This choice of font seems a bit odd since it does not support a lot of East-Asian languages.” reads the analysis.

“When executed, this binary decrypts its resource (XOR with a 128-byte, hardcoded key) and decompresses the decrypted data (LZMA). The legitimate RobotoSlab-Regular.ttf file is written into the %temp% folder and run via Win32 API function ShellExecute.

The shellcode decrypted from the resource is executed. After its execution, the fake font updater drops another application whose sole purpose is to delete the dropper. This “eraser” application is dropped as %temp%\[0-9].tmp.exe.”

Attackers also powered watering hole attacks using fake installers posing as updates for popular applications.

One of the installers used by the APT is the repackaged Firefox installer described by 360 Labs on Freebuf (Chinese language).

Researchers noticed that attackers’ dropper package includes several components, the whole process of installation and execution relies heavily on multiple layers of obfuscation to prevent detection. The dropper also included garbage code to avoid being detected and code designed to delete the bait document.

The dropper gain persistence by creating a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges.

The backdoor is able to execute tens of commands, including fingerprint the system, create a process, call the PE Loader, drop and execute a program and run shellcode in a new thread.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address.” concludes ESET.

“The encryption of the payload, together with the side-loading technique – despite
its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OceanLotus , APT)

[adrotate banner=”5″]

[adrotate banner=”13″]