OceanLotus APT group as know as s APT32 and APT-C-00, emerging again targeting organization and government networks by distributing backdoor to compromise their infrastructure.
Cyber Criminals using variously advanced techniques to compromise the victims and execute the backdoor into their network.
APT Backdoor mainly targeting East-Asian countries such as es such as Vietnam, the Philippines, Laos, and Cambodia.
OceanLotus APT distribution shows that the team is active and continues to update its toolset.
Also they are using several servers and keep changing their IP address to avoid detection and distributing the encrypting payload to evade the security system.
OceanLotus APT Backdoor Distribution and Infection
The initial distribution of the malicious dropper through email attachment and the email claims that it comes from telecommunication company in Vietnam and fake resume that offer from Canada.
Once the victim clicks the attachment, a malicious document will be dropped and mimics as installer or update of popular legitimate software but its actually a fake installer.
Also, another backdoor dropper “RobototFontUpdate.exe” also identified that distributed through compromised websites.
This backdoor is working as two different parts one is initial dropper and backdoor component.
APT Dropper Execution FLow
Once the Initial dropper RobototFontUpdate.exe” launched into the system, it decompresses the dropper and legitimate RobotoSlab-Regular.ttf file will be written into %temp% folder.
After decompressing the dropper and decrypt the shellcode, “eraser” application also will be dropped into the %temp% folder.
later shellcode will be executed to drop a real dropper(backdoor) along with malicious library file inside of the same folder( rastlsc.exe) and execute it.
This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process..
APT Backdoor Execution FLow
The rastlsc.exe is legitimate Symantec product’s executable files The trick is to take advantage of the library loading process of a legitimate and signed executable by writing a malicious library inside the same folder.
According to ESET Researchers, This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process.
So once the legitimate rastlsc.exe will be dropped and executed it also executable imports the Malicious rastls.dll file that contains a malicious payload.
Later the backdoor (rastls.dll) will communicate with Command and control server and resolved the IP address with TCP port 25123.
This is a full-featured backdoor that offers its operators many capabilities, such as the file, registry, and process manipulation, loading additional components, and performing a system fingerprint and perform a various malicious operation with the infected system.