返回 TI 主页
New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to Deliver Tromas

By 奇安信威胁情报中心 | 事件追踪

Overview

During recent daily operations, the QiAnXin Threat Intelligence Center discovered that the new OceanLotus group, which we have been continuously tracking since mid-2022, has begun to re-activate and is using a new tactic of MSI file misuse. Even though the MSI TRANSFORMS technique was theoretically disclosed in 2022[1], this is the first time that we have ever captured an APT campaign targeting a domestic governmental enterprise.

We currently divide the APT-Q-31 (OceanLotus) group into two attack sets, after we have observed for a long time that the old and new OceanLotus carry out espionage activities against the country alternately every year through rounds of warfare, and that the two attack sets have completely different TTPs, but share attack resources. The last time the new OceanLotus group was active was at the end of 2023, so far it has been exactly one year. The execution chain of this spear mail campaign is as follows:

We recommend that government and enterprise customers deploy QAX Endpoint Detection and Response (EDR) in both office and server areas, which can realize the discovery and blocking of generic threats with the cloud checking function enabled.


Introduction to MST Documentation

The New OceanLotus group executed the following command line via lnk:

msiexec\.exe /qn /i WindowsPCHealthCheckSetup\.msi TRANSFORMS=msGFG\.mst

Where WindowsPCHealthCheckSetup.msi is the official and legal installation package provided by Microsoft

MSI TRANSFORMS parameter of the malicious use of the way outside the blog has been introduced [1], MST internal executable module will generally have two export functions are LogSetupAfterInstall and LogSetupBeforeInstall, used to control the process of msi installation process.

Landing additional DLL and persistence operations can be implemented in these two export functions:

The final effect of DLL-Sideloading is achieved with a memory-loaded payload for the RUST Trojan that has been missing for a year, with the difference from 2023 being that the attacker completely shellcode-ized the RUST Trojan , deleting the previous process of loading the PE file using generic shellcode reflection to achieve memory countermeasures. We also observed that New OceanLotus used the Mingw-w64 codebase for most of the dozen or so loaders it has written, a habit that has continued from 2022 to the present, whereas the codebase never appeared in any of the loaders released by the old OceanLotus attack set in the first half of 2024.

We will disclose information about the complex memory state TTP used by the New OceanLotus group in 2023 at a later date this year.


MSI abuse

MSI as a clichéd universal payload in recent years has been used by various threat behavior groups, analysis methods and processes offshore friends have also been shared [2], we are from the point of view of MSI exploitation techniques, talk about the last two years in all directions of the APT gangs on the use of MSI.

Media table

Bitter, APT-Q-27, APT-Q-15 (Darkhotel), CNC and other APT group will be compressed in the cab malicious components, in the msi installation process to release and execute, which is currently the most common exploitation techniques, the disadvantage is that the malicious components with the installation of the MSI will be landed on the disk, a more test of the attacker's sustained exemption from the kill technology.


CustomAction table

Various types of custom actions are supported in CustomAction, and attackers have a richer room for manipulation, for example, the Bitter group calls a third-party powershell interpreter with signatures in the CustomAction table to execute powershell scripts.

While APT-Q-15 (Darkhotel), in its espionage activities against North Koreans, drops malicious North Korean font MSI installation packages, adds the Trojan module core.dll to the customAction table, and in contrast to the malicious module inserted in the Media table, core.dll doesn't land during the msi installation process, and the system process msiexec will start a separate sub-process memory to load this DLL, thus achieving the effect of LOLBINS.

It also does not affect the installation process of the kpkm2024.ttf font:


MST Documentation

Only the New OceanLotus tissue has been observed utilizing this technique.


Summarize

Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), QAX Endpoint Detection and Response (EDR) , SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.


IOC

CC is no longer valid and therefore not available

MD5:

309a3a8f4d075d5d43d81d6357075b22

46623db76d5ff6b2ec5734fb84bade8e


Reference Links

[1].https://mgeeky.tech/msi-shenanigans-part-1/

[2]. https://intezer.com/blog/incident-response/how-to-analyze-malicious-msi-installer-files/

APT SOUTHEAST ASIA OCEANLOTUS MSI TRANSFORMS
首页
New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to Deliver Tromas