Story image

Old group, new tricks: OceanLotus threat group continues to target East Asia

15 Mar 18

ESET researchers have been on the trail of cyber hacking group OceanLotus, a group known for its campaigns creating havoc in Eastern Asia countries.

OceanLotus, also known as APT32 or APT C-00, is considered an Advanced Persistent Threat (APT) group, thought to be based in Vietnam.

It frequently targets government and organization networks across Vietnam, the Philippines, Laos and Cambodia.

Last year the OceanLotus group conducted Operation Cobalt Kitty, an attack that targeted top-level management of an Asian-based firm. Their goal was to steal proprietary business information, ESET researchers say.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," comments ESET’s security intelligence team lead Alexis Dorais-Joncas.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” researchers add.

The group’s distribution methods for backdoor installation include using a decoy document sent to a particular person of interest, usually via email.

The attached document is password-protected however researchers say it is unclear whether there is actually a password available or if the documents are not meant to work.

Some of the document names include Chi tiet don khieu nai gui saigontel.exe, which translates from Vietnamese to “Details of the complaint sent to Saigontel”. Saigontel is a telecommunication company in Vietnam.

Another document is called CV_LeHoangThing.doc.exe. Fake résumé (CV) documents were also seen in Canada.

Other methods for backdoor distribution include fake installers that claim to be updates or installers for popular software.

One such installer involved a repackaged Firefox installer. Another installer, titled RobototFontUpdate.exe, was likely distributed through compromised websites to deliver the backdoor components.

The OceanLotus group is also highly adept at disguising its attacks and still convinces users to execute the backdoor, slow down its analysis and avoid detection.

According to ESET, the group limits malware distribution and also uses several different servers to avoid attracting attention to a single domain or IP address.

Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application, researchers explain.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” they conclude.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).