Overview

The new OceanLotus group first appeared in mid-2022, until the end of 2023, when it turned inactive, and then re-activated in November '2024 and was quickly stopped and disclosed by us^[1]. Throughout the year of 2023, the new OceanLotus group demonstrated completely different techniques and tactics and a much higher level of offense than before, and used a number of 0day loopholes to carry out espionage activities targeting China's military, energy, and aerospace sectors. espionage activities, with the intention of stealing our energy and military-industrial fields in the Middle East, Central Asia, Africa, and East Asia deployment.

In this paper, as a security research only, we do not focus on the initial sample load, and mainly disclose the memory plug-ins and espionage purpose of the new OceanLotus group, Skyrocket EDR can accurately alert all the memory plug-ins of the new OceanLotus group in the memory, and we suggest our government and enterprise customers to enable the cloud checking function to discover the unknown threats.

Memory technology and tactics

The new OceanLotus group sends malicious updates to specific terminals in the intranet through 0day vulnerabilities in terminal software to achieve supply chain attacks. In the current domestic intricate security product ecology, this attack mode is the optimal solution for all APT group, and is not unique to the OceanLotus group's tactics ^[2], and we have even observed that ransomware operators targeting domestic ransomware operators have similar operations, the difference being that ransom operators will send ransomware to all intranet terminals, while APT group send malicious updates after selecting specific target terminals, and the new OceanLotus group's memory techniques and tactics are as follows:

The Cobalt Strike used by the New OceanLotus group in 2022-2023 has one very distinct feature:

After the Trojan runs, it will automatically save the current screenshot in PNG format and send it to the C2 server. If the attacker happens to be in the state of RDP at this time, then it will be able to get a picture of the attacker double-clicking the Trojan program on the victim's machine :

Cobalt Strike injected into the system process will be loaded in the current process memory Rust Trojan and back to connect the new C2, Rust Trojan's analysis of the Friends have been analyzed, so I will not repeat. Next, the file directory collection plug-in will be injected into the system process by means of Process Hollowing.

Filename Collection Plugin (Memory State)

The plugin is a 20KB shellcode that first gets the Temp path and generates a UUID that is spliced with the path as an intermediate file.

It then traverses the file, collects the files with the specified suffix on the victim device, and writes the result to the file as a synonym for 0xF1.

The format of the decrypted file is as follows, which collects the file name and the creation, modification, and access time of that file.

The following specified suffixes are collected: pdf, png, jpg, ppt, pptx, one, ini, pfx, config, xmind, conf, ofd, 7z, wpt.

When the write is complete it will re-read the file into memory and delete the file.

Re-decrypt the read content with 0xF1 and re-encrypt it.

The encryption algorithm is the 128-bit AES algorithm.

Finally, write the encrypted content to the file C:\Programdata\SogouInput.xml after the iso-ortho with 0xF2.

The attacker will analyze the xml file in the back-end and eventually pick the target file to steal. After stealing the document the attacker will generally inject the pipeline trojan into the system process by Process Hollowing if he chooses to move further horizontally.

Pipeline Tema (memory state)

The memory block in which this pipeline tema is located has a fixed size of 0x35000 and is created with the name \\\. \pipe\InitStarts to listen to the pipe loop.

Reads data from the pipeline:

A structure is defined during the communication process, a thread is created and the structure is passed in as a parameter.

This thread will continuously read the data in the pipeline and decrypt the data and pass it to the worker thread, as well as fetch the data executed by the worker thread before decrypting and transferring it to the pipeline.

The encryption algorithm is as follows.

There are a large number of functional functions in the worker threads, e.g., file management, shellcode loading, command execution, and so on.

We observed that the new OceanLotus group loaded the ssh login plugin through the pipeline memory.

ssh login plugin (memory state)

The function of the plugin is to log in to the intranet linux server through the built-in account secret:

The password is a weak password, so it can be assumed that the attacker obtained the server password by blasting.

The history logs can be used to confirm that the attacker is browsing directories on the server and packing data.

Dual-platform Tema (memory state)

When invading border servers, such as web servers, firewalls and other devices, the new OceanLotus group uses a Win|Linux dual-platform special trojan. This special trojan was first discovered on the firewall. For a long time, we believed that this special trojan was only deployed on border servers. However, during a confrontation, it was found that this special trojan was injected into the Windows system process, and the injection time was one week later than the implantation time of Cobalt Strike.

The new OceanLotus group uses this special trojan to execute the CMD command to add the root certificate "certutil -addstore "ROOT" client.cer", After adding, it chooses to land the DLL on the disk. At this time, the DLL is digitally signed and used for EDR-free killing.

antivirus software

The new OceanLotus group seems to be one of the few APTs that can distinguish between 360 Security Guard and Skyrocket EDR. Before that, many APTs thought that they could bypass Skyrocket EDR if they could get rid of 360 Security Guard, but new OceanLotus group started its campaign with two new methods targeting 360 Security Guard and Skyrocket EDR, but they were quickly discovered and confronted in time by us and our friends. countered in time. Release the process named propsys.dll and determine if the process loading this DLL is 360baobiao.exe

The main function of the DLL is to turn off self-preservation through DeviceIOCtontol.

After that, hibernate zhudongfangyu.exe and 360rps.exe processes to realize the blinding effect.

The maneuver is currently ineffective.

UTC+7

The above complex memory TTP seems to be just a "flash in the pan", Since the new OceanLotus went inactive in December 2023, we have not observed similar tactics. After that, in March 2024, the old OceanLotus inherited its attack resources and launched two waves of 0day supply chain events, which finally confirmed that the attacker was located in the UTC +7 time zone. OceanLotus purchased domestic VPS servers through some channels and used them as proxies to request the terminal management server of the target unit and select the target personnel to be invaded. (Not only OceanLotus, in 2024 years, we observed that almost all APT group in different directions were purchasing resources from domestic VPS manufacturers through agency companies or black industry four-piece sets, using them as proxies and C2, and even looking for domestic personnel to sign digital signatures for Trojan backdoors. APT has been deeply integrated into the upstream and downstream of domestic black and gray industries. We suggest that we crack down on domestic downstream personnel and completely curb these channels).

After searching, We found out that April 18th is an official holiday in a Southeast Asian country, which is called "Hung Kings Day" (Giỗ Tổ Hùng Vương).

Purpose

It has been confirmed that the attacker is located in a Southeast Asian country, and it is assumed that the attacker provides intelligence services for the host country. In the study of its purpose, we only pick the case of the terminal server directed down to study, because the attacker can see all the organizational structure and personnel information of the target unit on the terminal server, and the target terminal it picks is bound to have directionality, while other espionage activities such as batch invasion of firewalls, web services, etc., are non-directional and can't be used as a source of data for the study.

We have collated several incidents of terminals being sent down during the period of 2021-2024, and in most cases their targets are focused on the environmental and transportation data of the southwestern provinces, as well as China's energy deployment in East Asia, which are all in line with the interests of Southeast Asian countries, and the turning point is after the emergence of the New Sea Lotus, which massively spied on China's projects in the fields of energy and military industry in Central Asia, the Middle East, North Asia, and Africa during the period of 2023-2024 and deployment, the victim terminal even contains a list of personnel dispatched outside the country, these data are not small countries in Southeast Asia can digest, more like the field of concern of extraterritorial powers, and the time of the emergence of the New Sea Lotus organization coincides with the point in time when a certain country in Southeast Asia and an extraterritorial power reached a cybersecurity cooperation.

The above is just a statement of facts that we have observed as a cybersecurity vendor and is not directed at any country or individual.

summarize

Currently, the full line of products based on the threat intelligence data from the Chianxin Threat Intelligence Center, including the Chianxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Chianxin NGSOC, and Chianxin Situational Awareness, already support the accurate detection of such attacks.

Reference Links

[1].https://ti.qianxin.com/blog/articles/new%20-trend-in-msi-file-abuse-new-oceanlotus-group-first-to-use-mst-files-to-deliver-special-trojan-cn/

[2].https://mp.weixin.qq.com/s/3bmehaRuvaL5TnvdZXwYWA