Story image

Old group, new tricks: OceanLotus threat group continues to target East Asia

15 Mar 2018

ESET researchers have been on the trail of cyber hacking group OceanLotus, a group known for its campaigns creating havoc in Eastern Asia countries.

OceanLotus, also known as APT32 or APT C-00, is considered an Advanced Persistent Threat (APT) group, thought to be based in Vietnam.

It frequently targets government and organization networks across Vietnam, the Philippines, Laos and Cambodia.

Last year the OceanLotus group conducted Operation Cobalt Kitty, an attack that targeted top-level management of an Asian-based firm. Their goal was to steal proprietary business information, ESET researchers say.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," comments ESET’s security intelligence team lead Alexis Dorais-Joncas.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” researchers add.

The group’s distribution methods for backdoor installation include using a decoy document sent to a particular person of interest, usually via email.

The attached document is password-protected however researchers say it is unclear whether there is actually a password available or if the documents are not meant to work.

Some of the document names include Chi tiet don khieu nai gui saigontel.exe, which translates from Vietnamese to “Details of the complaint sent to Saigontel”. Saigontel is a telecommunication company in Vietnam.

Another document is called CV_LeHoangThing.doc.exe. Fake résumé (CV) documents were also seen in Canada.

Other methods for backdoor distribution include fake installers that claim to be updates or installers for popular software.

One such installer involved a repackaged Firefox installer. Another installer, titled RobototFontUpdate.exe, was likely distributed through compromised websites to deliver the backdoor components.

The OceanLotus group is also highly adept at disguising its attacks and still convinces users to execute the backdoor, slow down its analysis and avoid detection.

According to ESET, the group limits malware distribution and also uses several different servers to avoid attracting attention to a single domain or IP address.

Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application, researchers explain.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” they conclude.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.