The OceanLotus APT group is also known as APT32, Cobalt Kitty, APT-C-00, SeaLotus, Ocean Buffalo, POND LOACH and TIN WOODLAWN, and has been active since at least 2014. Participants in this threat widely use watering hole attacks to compromise social engineering websites to provide malware payloads. It carried out cyber espionage activities against organizations interested in the Vietnamese government. Recently, the OceanLotus APT team has been focusing on Southeast Asian countries such as the Philippines, Laos and Cambodia.
The infected website has features such as analyzing users, redirecting to exploit login pages, and being used to provide malware payloads for Windows and OSX. According to open source intelligence, it is observed that the OceanLotus APT group has used multiple fake news websites to lock down users.
In this article, we will shed light on one of the latest campaigns of threat actors related to threats to the Vietnamese government. Cyble discovered that the OceanLotus APT team used a RAR archive named ” Adobe_Flash_Install.rar” to pretend to be an Adobe installation, and then silently execute the malware payload. The following figure shows the contents of the archive file.
Further research has shown that threat actors have used cloud storage such as Google Drive to host malware payload files. The hook diagram below shows that the malware payload file is hosted on the Dropbox link “hxxps: //www.dropbox[.]com/s/puhwqhjcvn2xuum/Adobe_Flash_Install [.] rar?dl = 1”.
As mentioned above, the RAR file contains Adobe_Flash_Install.exe and goopdate.dll. The file named “Adobe_Flash_Install.exe” is a legitimate Google update utility used to load a malicious dynamic link library named “goopdate.dll” from the side of the attacker . The version information of the file can provide more information about the installer, as shown in the figure below.