OceanLotus (APT32) Uses Social Security Themes as Lure in APT Attacks 

Overview

A new attack sample from the OceanLotus group (APT32) has been identified on July 10 2024 by Knowsec 404. This sample uses topics related to social security and housing fund adjustments to lure victims into clicking malicious links. The tactics and methodologies of this sample bear a strong resemblance to those observed in a 2023 campaign where OceanLotus mimicked APT29’s attack strategies.

Background on OceanLotus

OceanLotus, also known as APT32, is a prominent Advanced Persistent Threat (APT) group active since 2012. This group primarily targets government agencies, corporations, media outlets, and activists in East and Southeast Asia. Known for its diverse attack techniques, OceanLotus employs a mix of custom-developed tools and open-source utilities to achieve its objectives at various stages of their operations.

Attack Chain

The identified attack chain is structured as follows:

1. 1. LNK File: The attack initiates with an LNK file that executes an HTA script.

1. 1. HTA Script: This script deploys both a dropper program and a decoy document.

1. 1. Dropper Program: Responsible for loading the final payload, which is the Cobalt Strike RAT (Remote Access Trojan).

1. 1. Decoy Document: A document designed to disguise the malicious activities.

Technical Breakdown

LNK File

The LNK file is the initial payload that triggers the attack chain. It uses ShellExec to run CMD commands, which ensure the absence of security software and copy itself to a specific location before launching via mshta.exe.

HTA Script

Stored within the LNK file, the HTA script executes several tasks:

1. 1. Dropper Deployment: Loads and saves the dropper program to a specified directory.

1. 1. Decoy Document Deployment: Saves and opens the decoy document.

1. 1. Dropper Execution: Decrypts and runs the Cobalt Strike RAT.

Dropper Program

The dropper decrypts and launches the Cobalt Strike payload. Cobalt Strike is a versatile penetration testing tool frequently used by APT groups. It allows attackers to deploy “Beacons” on compromised machines, enabling a wide range of malicious activities such as command execution, file transfer, and privilege escalation.

Findings

Analysis indicates that the techniques used in this attack are consistent with those from a 2023 campaign by OceanLotus, which used BMW-themed lures. Similarities include the format of LNK parameters and Cobalt Strike configuration files.

Indicators of Compromise (IOC)

• • Hash Values:
    • • f04971c65d68319fbe1285b4a83afed6 (QuickDeskBand.dll)

• • Decoy Document:
    • • md5:2d6b3b3e13600721fc9f398cd7df05ca
    • • sha1:536a59b70a79878c6b4f0548c096738181471c0e
    • • sha256:e652d9d69aa49fd91e107888c1790067a757750c99223cddceeee2676cfbe6b1

Conclusion

The recent sample captured by the Maltiverse Research Team highlights the continuous threat posed by OceanLotus. Their use of sophisticated techniques and tools like Cobalt Strike underscores the need for vigilant cybersecurity measures.

For more detailed analysis and updates on this and other cybersecurity threats, follow the Maltiverse Research Team’s ongoing research.

References

https://m.freebuf.com/articles/network/405589.html