Security researchers at Cylance discovered that the OceanLotus APT (also known as APT32 or Cobalt Kitty, group is using a loader leveraging
steganography to deliver a version of Denes backdoor and an updated version of Remy backdoor.
The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.
The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
“While continuing to monitor activity of the OceanLotus APT Group, BlackBerry Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file.” reads the report published by the experts.
“The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools. Once decoded, decrypted, and executed, an obfuscated loader will load one of the APT32 backdoors. Thus far, BlackBerry Cylance has observed two backdoors being used in combination with the steganography loader – a version of Denes backdoor (bearing similarities to the one described by ESET), and an updated version of Remy backdoor. “
Threat actors used a custom steganography algorithm to hide the encrypted payload within PNG images to to avoid detection.
Hackers already employed the same technique in attacks carried out in September 2018, the payload extraction procedure used by the attackers is the same.
The two loaders discovered by Cylance and used by the APT group use side-loaded DLLs and an AES128 implementation from Crypto++ library for payload decryption.
Below details of the two malware used by the APT in the attacks:
Steganography Loader #1 – Features
Steganography Loader #2 – Features
The attack chain starts with the obfuscated loader payload being decrypted and executed to load one of the two backdoors.
To make hard the analysis of the malware, backdoor DLLs are heavily obfuscated and C2 communication encrypted.
A specific C2 communication module is used to manage connections via HTTP/HTTPS channels with the command-and-control infrastructure, it also includes built-in proxy bypass functionality.
Further technical details, including Indicators of Compromise, are included in the report published by Cylance.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – OceanLotus APT, backdoor)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.