Monday, November 25, 2024
HomeBackdoorOceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

OceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

Published on

OceanLotus APT group as know as s APT32 and APT-C-00, emerging again targeting organization and government networks by distributing backdoor to compromise their infrastructure.

Cyber Criminals using variously advanced techniques to compromise the victims and execute the backdoor into their network.

APT Backdoor mainly targeting East-Asian countries such as es such as Vietnam, the Philippines, Laos, and Cambodia.

- Advertisement - SIEM as a Service

OceanLotus APT distribution shows that the team is active and continues to update its toolset.

Also they are using several servers and keep changing their IP address to avoid detection and distributing the encrypting payload to evade the security system.

Also Read:  Hackers Can Remotely Control Your Camera to Monitor and Record All Your Activities

OceanLotus APT Backdoor Distribution and Infection

The initial distribution of the malicious dropper through email attachment and the email claims that it comes from telecommunication company in Vietnam and fake resume that offer from Canada.

Once the victim clicks the attachment, a malicious document will be dropped and mimics as installer or update of popular legitimate software but its actually a fake installer.

Also, another backdoor dropper “RobototFontUpdate.exe” also identified that distributed through compromised websites.

This backdoor is working as two different parts one is initial dropper and backdoor component.

APT Dropper Execution FLow

Once the Initial dropper RobototFontUpdate.exe”  launched into the system, it decompresses the dropper and legitimate RobotoSlab-Regular.ttf file will be written into %temp% folder.

After decompressing the dropper and decrypt the shellcode, “eraser” application also will be dropped into the  %temp% folder.

later shellcode will be executed to drop a real dropper(backdoor) along with malicious library file inside of the same folder( rastlsc.exe) and execute it.

This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process..

 APT Backdoor Execution FLow

The rastlsc.exe is legitimate Symantec product’s executable files The trick is to take advantage of the library loading process of a legitimate and signed executable by writing a malicious library inside the same folder.

According to ESET Researchers, This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process.

So once the legitimate rastlsc.exe will be dropped and executed it also executable imports the Malicious rastls.dll file that contains a  malicious payload.

Later the backdoor (rastls.dll) will communicate with Command and control server and resolved the IP address with TCP port 25123.

backdoor

This is a full-featured backdoor that offers its operators many capabilities, such as the file, registry, and process manipulation, loading additional components, and performing a system fingerprint and perform a various malicious operation with the infected system.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....

Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack...