Old group, new tricks: OceanLotus threat group continues to target East Asia

15 Mar 18

ESET researchers have been on the trail of cyber hacking group OceanLotus, a group known for its campaigns creating havoc in Eastern Asia countries.

OceanLotus, also known as APT32 or APT C-00, is considered an Advanced Persistent Threat (APT) group, thought to be based in Vietnam.

It frequently targets government and organization networks across Vietnam, the Philippines, Laos and Cambodia.

Last year the OceanLotus group conducted Operation Cobalt Kitty, an attack that targeted top-level management of an Asian-based firm. Their goal was to steal proprietary business information, ESET researchers say.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," comments ESET’s security intelligence team lead Alexis Dorais-Joncas.

“Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor,” researchers add.

The group’s distribution methods for backdoor installation include using a decoy document sent to a particular person of interest, usually via email.

The attached document is password-protected however researchers say it is unclear whether there is actually a password available or if the documents are not meant to work.

Some of the document names include Chi tiet don khieu nai gui saigontel.exe, which translates from Vietnamese to “Details of the complaint sent to Saigontel”. Saigontel is a telecommunication company in Vietnam.

Another document is called CV_LeHoangThing.doc.exe. Fake résumé (CV) documents were also seen in Canada.

Other methods for backdoor distribution include fake installers that claim to be updates or installers for popular software.

One such installer involved a repackaged Firefox installer. Another installer, titled RobototFontUpdate.exe, was likely distributed through compromised websites to deliver the backdoor components.

The OceanLotus group is also highly adept at disguising its attacks and still convinces users to execute the backdoor, slow down its analysis and avoid detection.

According to ESET, the group limits malware distribution and also uses several different servers to avoid attracting attention to a single domain or IP address.

Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application, researchers explain.

“The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” they conclude.

Share on: LinkedIn Twitter Facebook