ESET uncovers latest malicious activity in Asia from hacking group OceanLotus
KUALA LUMPUR: Analysing the activities of hacking group OceanLotus, known for campaigns targeting eastern Asia, security researchers at ESET have followed one of the group’s latest campaign.
ESET’s research into the group, also known as APT32 or APT C00, has shown they are using the same tricks but now includes a new backdoor.
ESET’s white paper highlighted several methods being used to convince the user to execute the backdoor, slow down its analysis and avoid detection.
“OceanLotus typically targets company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia,” it said in a statement.
“Last year, in an incident dubbed Operation Cobalt Kitty, the group targeted the top-level management of a global corporation based in Asia with the goal of stealing proprietary business information.
“This new research has shown the group utilising several methods in a bid to trick potential victims into running malicious droppers, including double extension and fake icon applications such as Word, PDF and so on.
“These droppers are likely to be attached to an email message although ESET have also found fake installers and software updates used to deliver the same backdoor component.”
In their latest research paper, ESET showed how Oceanlotus‘ latest backdoor is able to execute its malicious payload on a system.
Its process of installation relies heavily on a decoy document sent to a potential person of interest.
Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor.
“Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended act iv it es ,” states Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET.
The group works to limit the distribution of their malware and use several different servers to avoid attracting attention to a single domain or IP address.
Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application.
While the group have managed to some extent to remain concealed, ESET’s research has highlighted their ongoing activity and how they have altered it to remain effective.
“ESET’s threat intelligence has provided conclusive data that shows this particular group has worked to continually update their toolkit and are very much still active in their malicious activities,” added Romain Dumont, ESET Malware Researcher.
For 30 years, ESET has been developing industry-leading IT security software and services for businesses and consumers worldwide.
With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology.
ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption.