apt attack

OceanLotus Phishing Campaign Against Cambodian Government

Introduction

Researchers recently discovered the OceanLotus Group’s use of ASEAN-themed decoy documents against the Cambodian government’s activities.

Vietnam and Cambodia have a long history of conflicts. In 2017, Vietnam established APT32 and strengthened its cyber warfare capabilities. During the 2017 annual summit, the organization attacked the websites of government departments or government agencies in ASEAN, Cambodia, Laos and the Philippines.

The researchers found a number of samples, the first of which was named “បញ្ជីរាយនាមអនុព័ន្ធយោធាបរទេសនិងការិយាល័យសហប្រតិបត្តិការយោធាប្រចាំកម្ពុជា.docx~[.] exe”, the document translates to “List of Foreign Military Affiliates and Office of Military Cooperation”. This sample is a self-extracting file (SFX) containing four files

1. A legal executable file signed by Apple (SoftwareUpdate.exe).

2. Related whitelist dynamic link library (DLL) files (SoftwareUpdateFiles.dll).

3. Malicious DLL (SoftwareUpdateFilesLocalized.dll)。

4. The file named “SoftwareUpdateFiles.locale” contains the encrypted shellcode.

The attack process is as follows:

oceanlotus attack process

IOCs

43.254.132.117
43.254.132.212


bussinesappinstant.com
cloud.bussinesappinstant.com
query.bussinesappinstant.com
insappstaticanalyze.com
dns.insappstaticanalyze.com


a030435018a67c07747751766132eb30a9a6bb6af161df225a27c0ec57156b61
d873bdb08c45378650761bad71df7418c7b542adb13ccd4a87df2001801f4808
625f5253e306cce30da4dbff2a6ade608ca295b10d086b9eaaec4743e53b0c82
dbde2b710bee38eb3ff1a72b673f756c27faa45d5c38cbe0f8a5dfccb16c18ba
47ba92dc8c9302b2f70db70a0d46fef0ee2972edc3e1c4b637d5c76b4141c7a0
75c61d9d8da4a87882ccdd37b664953c10a186b5545c5152fd1b6bf788a1a846
cfbacb8a1ca087810d17d86fcf94d9c660cf3331ccb0b015709bb48a9adb1cc7
180dc1f454fd8c8e7c10a947156da46cd4f0d748
2de7b735c8e9ee0707cee630d22dde5577222cd5
c558fce0fb49bd95cc8bc594d4d52901f2dd3d19
4a41bc81b27374b8a711794a7b27d51700403341
7537a91fd69096dd5e6b6b20671b61c271556c4f
d32119b3f55af8551b5b9fe54deb06ebac27b334
fa25af8208867da93488a470152698314b41ab61
27ab41daf97e8db218971de8dade634c
dca8e3d06763044221e56b3abf5a6401
7891cc60026998e55e4e1f7f7737a56e
7579aede6a223c96231ad30472a060db
6b95368c23032b8a74caca5c55cef038
feb28cfe13139d1a8abe613f3e015743
9f1dfb4551280b8fe5823b9a62657e01