OceanLotus APT group, also known as APT3, Cobalt Kitty, APT-C-00, SeaLotus, Ocean Buffalo, POND LOACH and TIN WOODLAWN, has been active since at least 2014. This threat actor extensively uses the watering-hole attack for compromising social engineering websites to deliver malware payloads. It carries out cyber espionage activities that targets organizations of interest to the Vietnamese Government. In the recent past, the OceanLotus APT group has had strong focus on South East Asian countries like the Philippines, Laos and Cambodia.
The compromised websites have functionalities like profiling users, redirecting to exploit landing page, and are being leveraged to serve malware payloads for Windows and OSX. As per open source intelligence, it was observed that the OceanLotus APT group has leveraged multiple fake news websites to target users.
In this post we will shed light on one of the latest campaigns of the threat actor with suspected ties to the Vietnamese Government. Cyble discovered that the OceanLotus APT group used an RAR archive named “Adobe_Flash_Install.rar” to pretend to be an adobe installation, followed by the silent execution of malware payload. The figure below shows the contents of archive file.
Further research revealed that the threat actor group has used cloud storage like Google Drive to host malware payload files. The Hook diagram below shows that malware payload file is hosted on the dropbox link “hxxps://www.dropbox[.]com/s/puhwqhjcvn2xuum/Adobe_Flash_Install[.]rar?dl=1″.
As discussed above, the RAR file contains Adobe_Flash_Install.exe and goopdate.dll. The file named “Adobe_Flash_Install.exe” is a legitimate Google update utility used in the side-loading of the malicious dynamic link library named “goopdate.dll” from the attacker. The version information of file provides more insight about the Installer, as shown in the figure below.
Upon execution, the installer side-loads and executes the attacker DLL through the search order hijacking method. The process explorer figure below clearly shows the DLL loaded by a legitimate Google Update utility.
The attacker DLL is heavily packed using custom packer as seen in the Hex view of Entry point bytes and data section as depicted in the image below.
The obfuscated attacker DLL is responsible for loading and executing the Cobalt Strike stager into the memory, followed by its execution. This DLL contains several configuration strings encoded with a simple xor encryption, and these strings include C2 url , browser information and cookie detail etc,.
At the time of our analysis, we observed that the Cobalt Strike stager tries to download and execute a shellcode from a remote server that has links to the URL “summerevent.webhop[.]net/f2JZ”. The debugger image attached below shows the hardcoded C2 domain that is decoded during the runtime.
The payload file has interesting functionalities like the capturing of victim system information as in the debugger view below.
The network capture depicts multiple connection requests to the attacker C2 server (summerevent.webhop[.]net) as showcased in the Wireshark image below.
The OceanLotus APT group, a threat actor with suspected ties to the Vietnamese Government, continuously evolves with enriched Tactics, Techniques and Procedures (TTP’s) as it seeks to target outside of standard spear phishing and leveraging of compromised websites. The threat actor has now created its own fake website to deliver payload, which is a clear indication of its inclination towards organized cyberattacks.
The Cyble Research team is continuously monitoring to harvest the threat indicators/TTP’s of emerging APT’s in the wild to ensure that targeted organizations are well informed and proactively protected.
Indicators of Compromise(IOC’s):
File hashes (SHA- 256) :
7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0 – Flash_Adobe_Install.exe(legit Google’s Update utility)
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.