Story image

Old group, new tricks: OceanLotus threat group continues to target East Asia

15 Mar 2018

ESET researchers have been on the trail of cyber hacking group OceanLotus, a group known for its campaigns creating havoc in Eastern Asia countries.

OceanLotus, also known as APT32 or APT C-00, is considered an Advanced Persistent Threat (APT) group, thought to be based in Vietnam.

It frequently targets government and organization networks across Vietnam, the Philippines, Laos and Cambodia.

Last year the OceanLotus group conducted Operation Cobalt Kitty, an attack that targeted top-level management of an Asian-based firm. Their goal was to steal proprietary business information, ESET researchers say.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," comments ESET’s security intelligence team lead Alexis Dorais-Joncas.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” researchers add.

The group’s distribution methods for backdoor installation include using a decoy document sent to a particular person of interest, usually via email.

The attached document is password-protected however researchers say it is unclear whether there is actually a password available or if the documents are not meant to work.

Some of the document names include Chi tiet don khieu nai gui saigontel.exe, which translates from Vietnamese to “Details of the complaint sent to Saigontel”. Saigontel is a telecommunication company in Vietnam.

Another document is called CV_LeHoangThing.doc.exe. Fake résumé (CV) documents were also seen in Canada.

Other methods for backdoor distribution include fake installers that claim to be updates or installers for popular software.

One such installer involved a repackaged Firefox installer. Another installer, titled RobototFontUpdate.exe, was likely distributed through compromised websites to deliver the backdoor components.

The OceanLotus group is also highly adept at disguising its attacks and still convinces users to execute the backdoor, slow down its analysis and avoid detection.

According to ESET, the group limits malware distribution and also uses several different servers to avoid attracting attention to a single domain or IP address.

Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application, researchers explain.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” they conclude.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.