Story image

Old group, new tricks: OceanLotus threat group continues to target East Asia

15 Mar 18

ESET researchers have been on the trail of cyber hacking group OceanLotus, a group known for its campaigns creating havoc in Eastern Asia countries.

OceanLotus, also known as APT32 or APT C-00, is considered an Advanced Persistent Threat (APT) group, thought to be based in Vietnam.

It frequently targets government and organization networks across Vietnam, the Philippines, Laos and Cambodia.

Last year the OceanLotus group conducted Operation Cobalt Kitty, an attack that targeted top-level management of an Asian-based firm. Their goal was to steal proprietary business information, ESET researchers say.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," comments ESET’s security intelligence team lead Alexis Dorais-Joncas.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” researchers add.

The group’s distribution methods for backdoor installation include using a decoy document sent to a particular person of interest, usually via email.

The attached document is password-protected however researchers say it is unclear whether there is actually a password available or if the documents are not meant to work.

Some of the document names include Chi tiet don khieu nai gui saigontel.exe, which translates from Vietnamese to “Details of the complaint sent to Saigontel”. Saigontel is a telecommunication company in Vietnam.

Another document is called CV_LeHoangThing.doc.exe. Fake résumé (CV) documents were also seen in Canada.

Other methods for backdoor distribution include fake installers that claim to be updates or installers for popular software.

One such installer involved a repackaged Firefox installer. Another installer, titled RobototFontUpdate.exe, was likely distributed through compromised websites to deliver the backdoor components.

The OceanLotus group is also highly adept at disguising its attacks and still convinces users to execute the backdoor, slow down its analysis and avoid detection.

According to ESET, the group limits malware distribution and also uses several different servers to avoid attracting attention to a single domain or IP address.

Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application, researchers explain.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” they conclude.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Don’t let your network outgrow your IT team
"IT professionals spend less than half of their time at work optimising their networks and beefing it up against future security threats."
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.