What Is It?
Since 2014, the OceanLotus Advanced Persistent Threat (APT) group, also referred to as APT32 and APT-C-00, has been targeting governments and corporations in various industries located in Southeast Asia, especially Vietnam, Laos, Cambodia and the Philippines. The group is believed to be Vietnamese.
The group’s goal is to install a backdoor allowing for full access to a system and the data it contains. Recently, Slovakian-based security company ESET described the latest malware from OceanLotus. Though previously OceanLotus has utilized backdoor malware running on Macs, these samples run on Microsoft Windows.
OceanLotus utilizes two main attack vectors in order to install the backdoor. The first is the tried and true method of spear phishing emails containing malicious attachments. These attachments are executables but use icons of Microsoft Word and Excel documents in order to convince targeted users to execute them. Once executed, they display a password protected document to distract the user while the backdoor installs itself.
The second vector is the use of watering hole attacks in order to get targeted users to install fake installers or updaters for common software, such as Firefox. A watering hole attack is where threat actors compromise legitimate websites they either know or strongly suspect targeted users will visit.
Once executed, the malware creates a Windows service and deletes the document used as a distraction. The malware then drops a legitimate, digitally-signed DLL (Dynamic Link Library) file from a well-known application and uses it to load the code from a second, malicious dropped DLL file. This well-established malicious technique is known as DLL side-loading. It works by placing the malicious DLL file in the same directory as the legitimate, signed DLL and then having the legitimate DLL load the malicious DLL into memory. This appears less suspicious as the loading is performed by a signed, trusted application.
The backdoor then encrypts its Command and Control (C2) traffic. However, if detected and captured, this traffic can be decrypted, owing to the fact the encryption key is actually part of the traffic.
How Does It Propagate?
The malware does not self-propagate. It is believed to be attached to spearphishing emails as an executable file, using the icon of a Microsoft Word or Excel document or convincing users to download and execute what they believe to be the installer or updater for common software such as Firefox. Again, this highlights the importance of user education and awareness programs as a component of overall security protections.
When/How Did BluVector Detect It?
Six samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown four samples would have been detected 41 months prior to their release, with the two remaining samples each being detected 26 and 10 months prior.