Thursday, March 28, 2024

OceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

OceanLotus APT group as know as s APT32 and APT-C-00, emerging again targeting organization and government networks by distributing backdoor to compromise their infrastructure.

Cyber Criminals using variously advanced techniques to compromise the victims and execute the backdoor into their network.

APT Backdoor mainly targeting East-Asian countries such as es such as Vietnam, the Philippines, Laos, and Cambodia.

OceanLotus APT distribution shows that the team is active and continues to update its toolset.

Also they are using several servers and keep changing their IP address to avoid detection and distributing the encrypting payload to evade the security system.

Also Read:  Hackers Can Remotely Control Your Camera to Monitor and Record All Your Activities

OceanLotus APT Backdoor Distribution and Infection

The initial distribution of the malicious dropper through email attachment and the email claims that it comes from telecommunication company in Vietnam and fake resume that offer from Canada.

Once the victim clicks the attachment, a malicious document will be dropped and mimics as installer or update of popular legitimate software but its actually a fake installer.

Also, another backdoor dropper “RobototFontUpdate.exe” also identified that distributed through compromised websites.

This backdoor is working as two different parts one is initial dropper and backdoor component.

APT Dropper Execution FLow

Once the Initial dropper RobototFontUpdate.exe”  launched into the system, it decompresses the dropper and legitimate RobotoSlab-Regular.ttf file will be written into %temp% folder.

After decompressing the dropper and decrypt the shellcode, “eraser” application also will be dropped into the  %temp% folder.

later shellcode will be executed to drop a real dropper(backdoor) along with malicious library file inside of the same folder( rastlsc.exe) and execute it.

This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process..

 APT Backdoor Execution FLow

The rastlsc.exe is legitimate Symantec product’s executable files The trick is to take advantage of the library loading process of a legitimate and signed executable by writing a malicious library inside the same folder.

According to ESET Researchers, This way it will make malicious behaviors look legitimate because these actions are made by the trusted executable process.

So once the legitimate rastlsc.exe will be dropped and executed it also executable imports the Malicious rastls.dll file that contains a  malicious payload.

Later the backdoor (rastls.dll) will communicate with Command and control server and resolved the IP address with TCP port 25123.

backdoor

This is a full-featured backdoor that offers its operators many capabilities, such as the file, registry, and process manipulation, loading additional components, and performing a system fingerprint and perform a various malicious operation with the infected system.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles