ESET’s research into the group, also known as APT32 or APT C-00, has shown they are using the same tricks but now includes a new backdoor. ESET’s white paper highlights several methods being used to convince the user to execute the backdoor, slow down its analysis and avoid detection.
OceanLotus typically targets company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia. Last year, in an incident dubbed Operation Cobalt Kitty, the group targeted the top-level management of a global corporation based in Asia with the goal of stealing proprietary business information.
This new research has shown the group utilising several methods in a bid to trick potential victims into running malicious droppers, including double extension and fake icon applications (e.g. Word, PDF, etc). These droppers are likely to be attached to an email message although ESET have also found fake installers and software updates used to deliver the same backdoor component.
In their latest research paper, ESET shows how Oceanlotus‘ latest backdoor is able to execute its malicious payload on a system. Its process of installation relies heavily on a decoy document sent to a potential person of interest. Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor.
"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," states Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET.
The group works to limit the distribution of their malware and use several different servers to avoid attracting attention to a single domain or IP address. Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application.
While the group have managed to some extent to remain concealed, ESET’s research has highlighted their ongoing activity and how they have altered it to remain effective. "ESET’s threat intelligence has provided conclusive data that shows this particular group has worked to continually update their toolkit and are very much still active in their malicious activities," adds Romain Dumont, ESET Malware Researcher.
To read more about ESET’s research into OceanLotus‘ activity visit https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries.
Join ESET at Facebook