Analysing the activities of hacking group OceanLotus, known for campaigns targeting eastern Asia, security researchers at ESET have followed one of the group’s latest campaign.
ESET’s research into the group, also known as APT32 or APT C-00, has shown they are using the same tricks but now includes a new backdoor and utilizing several methods aimed at convincing the user to execute the backdoor, slow down its analysis and avoid detection.
(TOP: OceanLotus exploiting backdoor depiction. Photo: WeLiveSecurity).
The group targets victims into running malicious droppers, including double extension and fake icon applications (e.g. Word, PDF, etc). These droppers are likely to be attached to an email message although ESET also found fake installers and software updates used to deliver the same backdoor component.
“Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites,” states Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET.
OceanLotus typically targets company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia. Last year, in an incident dubbed Operation Cobalt Kitty, the group targeted the top-level management of a global corporation based in Asia with the goal of stealing proprietary business information.
In the latest research paper, ESET shows how Oceanlotus‘ latest backdoor is able to execute its malicious payload on a system. Its process of installation relies heavily on a decoy document sent to a potential person of interest.Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor.
The group works to limit the distribution of their malware and use several different servers to avoid attracting attention to a single domain or IP address.Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application.
While the group have managed to some extent to remain concealed, ESET’s research has highlighted their ongoing activity and how they have altered it to remain effective. “ESET’s threat intelligence has provided conclusive data that shows this particular group has worked to continually update their toolkit and are very much still active in their maliciousactivities,” adds Romain Dumont, ESET Malware Researcher.