“OceanLotus” Spies Use New Backdoor in Recent Attacks

OceanLotus, a cyber-espionage group believed to be operating out of Vietnam, has been using a new backdoor in recently observed attacks, but also using previously established tactics, ESET reveals.

Also known as APT32 and APT-C-00, the advanced persistent threat (APT) has been targeting high-profile corporate and government organizations in Southeast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The group is well-resourced and determined and is known to be using custom-built malware in combination with techniques long known to be successful.

One of the latest malware families used by the group is a fully-fledged backdoor that provides operators with remote access to compromised machines, along with the ability to manipulate files, registries, and processes, as well as the option to load additional components if needed.

For distribution purposes, OceanLotus uses a two-stage attack that employs a dropper to gain initial foothold on the targeted system and prepare the stage for the backdoor, ESET explains in a new report (PDF).

Spear-phishing emails are used to lure victims into opening an attachment that uses a fake icon to load password-protected decoy document while the malicious dropper is executed in the background.

Fake installers posing as updates for popular applications are also used, as part of watering hole attacks, where websites that the victims are likely to visit are compromised.

The dropper package includes components executed in a number of stages involving heavy code obfuscation to prevent detection. The malware authors also included garbage code in the dropper, for similar purposes.

To achieve persistence, the dropper creates a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges. Code designed to delete the lure document is also dropped onto the system.

A digitally-signed Symantec executable (rastlsc.exe) is also dropped, along with a malicious Dynamic Link Library (DLL) named rastls.dll (detected as Win32/Salgorea.BD). The signed executable loads the malicious DLL, which makes the malicious behavior look legitimate, a technique (called DLL side-loading) that has been abused before.

The backdoor supports over 23 commands to: fingerprint the system; read a file or registry key; create a process; create a file, a registry entry or a stream in memory; write to or query the registry; search for files on the system; move files to directories or delete them from disk; list the drives mapped to the system; create or delete directories; call the PE Loader; drop and execute a program; run shellcode in a new thread, and more.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address. The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” ESET concludes.

Related: Vietnamese Spies Rival Notorious Russian Group in Sophistication

Related: How APT32 Hacked a Global Asian Firm With Persistence

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: