apt32-oceanlotus

New backdoor analysis of the OceanLotus

Since the first discovery of the “OceanLotus” group, it has been discovered that 4 different types of Trojan horse programs have been used successively. The initial Trojan horse program is not complicated, it is easier to be found and killed. However, in recent years, a series of sophisticated attack techniques have been added to the captured “OceanLotus” attack samples, and the difficulty of protection and killing has also increased proportionally.

The samples captured by the Sangfor Terminal Security Team have the following characteristics:

· White plus black delivery, using normal software to load malicious attack payloads
· Accurate attack, only a specific host can decrypt and execute remote control Trojans
· Multiple encryption, four decryption operations are performed before the final payload is generated

The execution flow chart is as follows:

oceanlotus

Sample analysis sample contains two files lenovodrvtray.exe and DgBase.dll

oceanlotus

Among them, lenovodrvtray.exe is the Lenovo driver automatic installation software with a formal digital signature

oceanlotus

The malicious file DgBase.dll will be loaded when lenovodrvtray starts

oceanlotus

After DgBase.dll is loaded, it will decrypt and release a section of code from the resource section to jump execution

oceanlotus

Has as many as 80+ remote control commands, including files, registry, process operations, etc.

oceanlotus

IOCs

bootstrap.cssracniu.com
193.36.119.47

3452471158ed7e6bde3d66141b08cea4
fa0d721d6eeb200f0d79a5048b6b8e5239808d20
572b7615a2c0d0166461ade21cb2425d5c5d19f124219009a9014c4eaa9f074c