Analysing the activities of hacking group OceanLotus, known for campaigns targeting eastern Asia, security researchers at ESET have followed one of the group’s latest campaign.
ESET’s research into the group, also known as APT32 or APT C-00, has shown they are using the same tricks but now includes a new backdoor. ESET’s white paper highlights several methods being used to convince the user to execute the backdoor, slow down its analysis and avoid detection.
OceanLotus typically targets company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia. Last year, in an incident dubbed Operation Cobalt Kitty, the group targeted the top-level management of a global corporation based in Asia with the goal of stealing proprietary business information.
This new research has shown the group utilising several methods in a bid to trick potential victims into running malicious droppers, including double extension and fake icon applications (e.g. Word, PDF, etc). These droppers are likely to be attached to an email message although ESET have also found fake installers and software updates used to deliver the same backdoor component.
In their latest research paper, ESET shows how Oceanlotus‘ latest backdoor is able to execute its malicious payload on a system. Its process of installation relies heavily on a decoy document sent to a potential person of interest. Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor.
"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites,"states Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET.
The group works to limit the distribution of their malware and use several different servers to avoid attracting attention to a single domain or IP address. Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application.
While the group have managed to some extent to remain concealed, ESET’s research has highlighted their ongoing activity and how they have altered it to remain effective. "ESET’s threat intelligence has provided conclusive data that shows this particular group has worked to continually update their toolkit and are very much still active in their malicious activities," adds Romain Dumont, ESET Malware Researcher.
To read more about ESET’s research into OceanLotus‘ activity visit https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
Since 1987, has been developing security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 200 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on , and .