Since the first discovery of the “OceanLotus” group, it has been discovered that 4 different types of Trojan horse programs have been used successively. The initial Trojan horse program is not complicated, it is easier to be found and killed. However, in recent years, a series of sophisticated attack techniques have been added to the captured “OceanLotus” attack samples, and the difficulty of protection and killing has also increased proportionally.
The samples captured by the Sangfor Terminal Security Team have the following characteristics:
· White plus black delivery, using normal software to load malicious attack payloads
· Accurate attack, only a specific host can decrypt and execute remote control Trojans
· Multiple encryption, four decryption operations are performed before the final payload is generated
The execution flow chart is as follows:
Sample analysis APT sample contains two files lenovodrvtray.exe and DgBase.dll
Among them, lenovodrvtray.exe is the Lenovo driver automatic installation software with a formal digital signature
The malicious file DgBase.dll will be loaded when lenovodrvtray starts
After DgBase.dll is loaded, it will decrypt and release a section of code from the resource section to jump execution
Has as many as 80+ remote control commands, including files, registry, process operations, etc.