Friday, November 1, 2024
HomeBackdoorOceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

OceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

Published on

Malware protection

OceanLotus APT group as know as s APT32 and APT-C-00, emerging again targeting organization and government networks by distributing backdoor to compromise their infrastructure.

Cyber Criminals using variously advanced techniques to compromise the victims and execute the backdoor into their network.

APT Backdoor mainly targeting East-Asian countries such as es such as Vietnam, the Philippines, Laos, and Cambodia.

- Advertisement - SIEM as a Service

OceanLotus APT distribution shows that the team is active and continues to update its toolset.

Also they are using several servers and keep changing their IP address to avoid detection and distributing the encrypting payload to evade the security system.

Also Read:  Hackers Can Remotely Control Your Camera to Monitor and Record All Your Activities

OceanLotus APT Backdoor Distribution and Infection

The initial distribution of the malicious dropper through email attachment and the email claims that it comes from telecommunication company in Vietnam and fake resume that offer from Canada.

Once the victim clicks the attachment, a malicious document will be dropped and mimics as installer or update of popular legitimate software but its actually a fake installer.

Also, another backdoor dropper “RobototFontUpdate.exe” also identified that distributed through compromised websites.

This backdoor is working as two different parts one is initial dropper and backdoor component.

APT Dropper Execution FLow

Once the Initial dropper RobototFontUpdate.exe”  launched into the system, it decompresses the dropper and legitimate RobotoSlab-Regular.ttf file will be written into %temp% folder.

After decompressing the dropper and decrypt the shellcode, “eraser” application also will be dropped into the  %temp% folder.

later shellcode will be executed to drop a real dropper(backdoor) along with malicious library file inside of the same folder( rastlsc.exe) and execute it.

This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process..

 APT Backdoor Execution FLow

The rastlsc.exe is legitimate Symantec product’s executable files The trick is to take advantage of the library loading process of a legitimate and signed executable by writing a malicious library inside the same folder.

According to ESET Researchers, This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process.

So once the legitimate rastlsc.exe will be dropped and executed it also executable imports the Malicious rastls.dll file that contains a  malicious payload.

Later the backdoor (rastls.dll) will communicate with Command and control server and resolved the IP address with TCP port 25123.

backdoor

This is a full-featured backdoor that offers its operators many capabilities, such as the file, registry, and process manipulation, loading additional components, and performing a system fingerprint and perform a various malicious operation with the infected system.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....

Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack...

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...