apt32-oceanlotus

OceanLotus With Cyber Espionage Operations

The OceanLotus  group is also known as APT32, Cobalt Kitty, APT-C-00, SeaLotus, Ocean Buffalo, POND LOACH and TIN WOODLAWN, and has been active since at least 2014. Participants in this threat widely use watering hole attacks to compromise social engineering websites to provide malware payloads. It carried out cyber espionage activities against organizations interested in the Vietnamese government. Recently, the APT team has been focusing on Southeast Asian countries such as the Philippines, Laos and Cambodia.

The infected website has features such as analyzing users, redirecting to exploit login pages, and being used to provide malware payloads for Windows and OSX. According to open source intelligence, it is observed that the OceanLotus group has used multiple fake news websites to lock down users.

In this article, we will shed light on one of the latest campaigns of threat actors related to threats to the Vietnamese government. Cyble discovered that the OceanLotus team used a RAR archive named ” Adobe_Flash_Install.rar” to pretend to be an Adobe installation, and then silently execute the malware payload. The following figure shows the contents of the archive file.

oceanlotus dll-side-loading

Further research has shown that threat actors have used cloud storage such as Google Drive to host malware payload files. The hook diagram below shows that the malware payload file is hosted on the Dropbox link “hxxps: //www.dropbox[.]com/s/puhwqhjcvn2xuum/Adob​​e_Flash_Install [.] rar?dl = 1”.

clip_image002[5]

Technical Analysis:

As mentioned above, the RAR file contains Adobe_Flash_Install.exe and goopdate.dll. The file named “Adobe_Flash_Install.exe” is a legitimate Google update utility used to load a malicious dynamic link library named “goopdate.dll” from the side of the  . The version information of the file can provide more information about the installer, as shown in the figure below.

clip_image003[5]

IOCs

summerevent.webhop.net/f2JZ

bd628b4f887070d9f014c3fb72859739
a7d7cde4a86089d58b254d23c026df8c
0545a3eb959cfa4790d267bfb8c1aca4
721254f41286717aa1cd9d7d652a9fa1
a41b4d3e3b65ed66eb6ea41306031d9d37e06177
b0176c6e3e694be6f4073a1e845aff2c6ec9d6d6
290093ed555f56b0896aebd1e2d498b0e554d697
b48e7a639d2e51e2ae2efdebb0723fe1f8dd84e6
230ac0808fde525306d6e55d389849f67fc328968c433a5053d676d688032e6f
7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0
69061e33acb7587d773d05000390f9101f71dfd6eed7973b551594eaf3f04193
cbca9a92a6aa067ff4cab8f1d34ec49ffc9a06c90881f48da369c973182ce06d