Pierluigi Paganini April 03, 2019

The OceanLotus APT group, also known as APT32 or Cobalt Kitty, leverages a steganography-based loader to deliver backdoors on compromised systems.

Security researchers at Cylance discovered that the OceanLotus APT (also known as APT32 or Cobalt Kitty, group is using a loader leveraging
steganography to deliver a version of Denes backdoor and an updated version of Remy backdoor.

The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“While continuing to monitor activity of the OceanLotus APT Group, BlackBerry Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file.” reads the report published by the experts.

“The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools. Once decoded, decrypted, and executed, an obfuscated loader will load one of the APT32 backdoors. Thus far, BlackBerry Cylance has observed two backdoors being used in combination with the steganography loader – a version of Denes backdoor (bearing similarities to the one described by ESET), and an updated version of Remy backdoor. “

Threat actors used a custom steganography algorithm to hide the encrypted payload within PNG images to to avoid detection.

Hackers already employed the same technique in attacks carried out in September 2018, the payload extraction procedure used by the attackers is the same.

The two loaders discovered by Cylance and used by the APT group use side-loaded DLLs and an AES128 implementation from Crypto++ library for payload decryption.

Below details of the two malware used by the APT in the attacks:

Steganography Loader #1 – Features

• Side-loaded DLL
• Loads next-stage payload using custom .png steganography
• Uses AES128 implementation from Crypto++ library for payload decryption
• Known to load Denes backdoor, might possibly be used also with other payloads

Steganography Loader #2 – Features

• Side-loaded DLL
• Anti-debugging/anti-sandboxing check for parent process name
• Loads next-stage payload using custom .png steganography
• Uses AES128 implementation from Crypto++ library for payload decryption
• Executes the payload by overwriting the return address on the stack
• Known to load an updated version of Remy backdoor

The attack chain starts with the obfuscated loader payload being decrypted and executed to load one of the two backdoors.

To make hard the analysis of the malware, backdoor DLLs are heavily obfuscated and C2 communication encrypted.

A specific C2 communication module is used to manage connections via HTTP/HTTPS channels with the command-and-control infrastructure, it also includes built-in proxy bypass functionality.

Further technical details, including Indicators of Compromise, are included in the report published by Cylance.

Pierluigi Paganini

(SecurityAffairs – OceanLotus APT, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]