Thursday, January 23, 2025
HomeCyber Security NewsAPT32 Hacker Group Attacking Cybersecurity Professionals Poisoning GitHub

APT32 Hacker Group Attacking Cybersecurity Professionals Poisoning GitHub

Published on

SIEM as a Service

Follow Us on Google News

The malicious Southeast Asian APT group known as OceanLotus (APT32) has been implicated in a sophisticated attack that compromises the privacy of cybersecurity professionals.

A recent investigation by the ThreatBook Research and Response Team revealed that a popular privilege escalation tool utilized by cybersecurity experts had been backdoored, leading to significant data breaches and identity leaks.

Methodology of the Attack

The attack, which was first identified in November 2024, involved the release of a Cobalt Strike exploit plugin embedded with a Trojan onto GitHub.

plugin embedde
plugin embedde

The attackers employed a novel tactic by incorporating a malicious .suo file within a Visual Studio project. When unsuspecting users compile the project, the Trojan executes automatically, effectively compromising their systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The poisoned account, set up to resemble a legitimate security researcher from a prominent Chinese FinTech company, is linked to the malicious repository at GitHub.

Timeline and Execution

The OceanLotus group targeted Chinese cybersecurity researchers, with the attack commencing between mid-September and early October 2024.

 execution of malicious code.
 execution of malicious code.

On October 10, the rogue account registered on GitHub, strategically forking various legitimate security tools to lower the victims’ guard.

Within days, two malevolent projects were published, containing Chinese-language descriptions and aimed specifically at enticing local cybersecurity professionals.

Despite the attacker’s subsequent deletion of these projects, the poisoned code had already been integrated into other researchers’ repositories, making detection increasingly difficult.

The code is designed to execute malicious commands seamlessly while self-destructing to avoid detection.

ThreatBook’s extensive analysis revealed that the attack was not only sophisticated but indicative of OceanLotus’s evolving techniques.

By utilizing a combination of dll hollowing and base64 encoding, the malware establishes command-and-control communication via the Notion platform, cleverly circumventing traffic detection measures.

spear-phishing email
spear-phishing email

The research team provided numerous Indicators of Compromise (IOCs) derived from their analyses, enabling cybersecurity entities to enhance their defenses against such targeted threats.

ThreatBook’s suite of security tools—including the Threat Detection Platform (TDP) and Cloud Sandbox—has been instrumental in identifying and mitigating the effects of this attack.

The OceanLotus group’s use of GitHub for conducting such targeted cyber operations raises urgent awareness regarding software supply chain vulnerabilities.

As the cybersecurity landscape becomes increasingly complex, professionals must maintain vigilance and utilize robust security practices to protect sensitive information.

Cybersecurity professionals must remain informed and proactive in safeguarding their tools and identities against such pernicious threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...