OceanLotus Continues With Its Cyber Espionage Operations

OceanLotus APT group, also known as APT3, Cobalt Kitty, APT-C-00, SeaLotus, Ocean Buffalo, POND LOACH and TIN WOODLAWN, has been active since at least 2014. This threat actor extensively uses the watering-hole attack for compromising social engineering websites to deliver malware payloads. It carries out cyber espionage activities that targets organizations of interest to the Vietnamese Government. In the recent past, the OceanLotus APT group has had strong focus on South East Asian countries like the Philippines, Laos and Cambodia.

The compromised websites have functionalities like profiling users, redirecting to exploit landing page, and are being leveraged to serve malware payloads for Windows and OSX. As per open source intelligence, it was observed that the OceanLotus APT group has leveraged multiple fake news websites to target users.

In this post we will shed light on one of the latest campaigns of the threat actor with suspected ties to the Vietnamese Government. Cyble discovered that the OceanLotus APT group used an RAR archive named โ€œAdobe_Flash_Install.rarโ€ to pretend to be an adobe installation, followed by the silent execution of malware payload. The figure below shows the contents of archive file.

Further research revealed that the threat actor group has used cloud storage like Google Drive to host malware payload files. The Hook diagram below shows that malware payload file is hosted on the dropbox link โ€œhxxps://www.dropbox[.]com/s/puhwqhjcvn2xuum/Adobe_Flash_Install[.]rar?dl=1″.

Technical Analysis:

As discussed above, the RAR file contains Adobe_Flash_Install.exe and goopdate.dll. The file named โ€œAdobe_Flash_Install.exeโ€ is a legitimate Google update utility used in the side-loading of the malicious dynamic link library named โ€œgoopdate.dllโ€ from the attacker. The version information of file provides more insight about the Installer, as shown in the figure below.

Upon execution, the installer side-loads and executes the attacker DLL through the search order hijacking method. The process explorer figure below clearly shows the DLL loaded by a legitimate Google Update utility.

The attacker DLL is heavily packed using custom packer as seen in the Hex view of Entry point bytes and data section as depicted in the image below.

The obfuscated attacker DLL is responsible for loading and executing the Cobalt Strike stager into the memory, followed by its execution. This DLL contains several configuration strings encoded with a simple xor encryption, and these strings include C2 url , browser information and cookie detail etc,.

At the time of our analysis, we observed that the Cobalt Strike stager tries to download and execute a shellcode from a remote server that has links to the URL โ€œsummerevent.webhop[.]net/f2JZโ€. The debugger image attached below shows the hardcoded C2 domain that is decoded during the runtime.

The payload file has interesting functionalities like the capturing of victim system information as in the debugger view below.

The network capture depicts multiple connection requests to the attacker C2 server (summerevent.webhop[.]net) as showcased in the Wireshark image below.

Conclusion:

The OceanLotus APT group, a threat actor with suspected ties to the Vietnamese Government, continuously evolves with enriched Tactics, Techniques and Procedures (TTPโ€™s) as it seeks to target outside of standard spear phishing and leveraging of compromised websites. The threat actor has now created its own fake website to deliver payload, which is a clear indication of its inclination towards organized cyberattacks.

The Cyble Research team is continuously monitoring to harvest the threat indicators/TTPโ€™s of emerging APTโ€™s in the wild to ensure that targeted organizations are well informed and proactively protected.

Indicators of Compromise(IOCโ€™s):

File hashes (SHA- 256) :

230ac0808fde525306d6e55d389849f67fc328968c433a5053d676d688032e6f- Adobe_Flash_Install.rar

7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0 โ€“ Flash_Adobe_Install.exe(legit Googleโ€™s Update utility)

69061e33acb7587d773d05000390f9101f71dfd6eed7973b551594eaf3f04193-goopdate.dll(BackDoor.Meterpreter)

cbca9a92a6aa067ff4cab8f1d34ec49ffc9a06c90881f48da369c973182ce06d-  Backdoor:Win32/CobaltStrike

URLs:  

summerevent.webhop[.]net/f2JZ

About Cyble

Cybleโ€ฏis a globalโ€ฏthreat intelligenceโ€ฏSaaSโ€ฏprovider that helps enterprises protect themselvesโ€ฏfrom cybercrimesโ€ฏandโ€ฏexposure in theโ€ฏdarkweb.โ€ฏCybleโ€™s prime focusโ€ฏis to provide organizations with real-time visibility into their digital riskโ€ฏfootprint.โ€ฏBacked by Y Combinator as part of the 2021 winter cohort,โ€ฏCybleโ€ฏhasโ€ฏalsoโ€ฏbeen recognized by Forbes as one of the top 20 Best Cybersecurityโ€ฏStartupsโ€ฏTo Watch In 2020.โ€ฏHeadquartered inโ€ฏAlpharetta, Georgia,โ€ฏand withโ€ฏoffices inโ€ฏAustralia, Singapore, andโ€ฏIndia,โ€ฏCybleโ€ฏhas a global presence.โ€ฏTo learn more aboutโ€ฏCyble, visitโ€ฏwww.cyble.io.โ€ฏโ€ฏโ€ฏย 

Scroll to Top