In last days of March, we discovered the activity of OceanLotus threat towards ASEAN Affairs.
Telsy TRT captured same malicious macro armed documents likely tergeting ASEAN affairs and meeting members. In fact, telemetry and spreading statistics related to these decoy documents highlight their diffusion in the geographical area of Thailand. According to OSINT information, the 34th ASEAN Meeting will be held in Bangkok, Thailand, on June 2019.
Generally, these malicious documents have been designed to induce the victims to enable a macro code that will lead to an in-memory payload injection through the use of layered obfuscation techniques.
At the time of analysis, however, the full infection cycle showed a very low detection rate in comparison with the major anti-malware solutions.
On the basis of the evidences found, finally, we attribute this operation, with an high degree of confidence, to the APT32 / OceanLotus group.
// Comparative Analysis: OceanLotus
We performed a first statical, attribution and similarity analysis over our own Telsy CTI platform for one of the malicious documents, in order to better understand what we had in front, obtaining the following results:
From this moment on, finally, it was quite clear for us which actor we should have to refer in relation to any interests in the geographical area where samples has been collected.
// Insights (I)
The initial attack payloads are Microsoft Office Word documents, but no specific vulnerabilities are used. Instead, in this case, the infection cycle is carried out through embedding layered macro code in them, triggering subsequent malicious behavior and finally implanting the backdoor to the target host.
According to some evidences collected, particularly, the design of the campaign seems to have started at the end of January 2019.
In order to execute the macro code in the context of the victim system, the attacker instructs the user to click on “enable content” in the body of the document.
The following a screenshot of how the graphical content appears after a forced dynamic execution:
and an extraction of the first stage macro code executed:
// Insights (II)
The script appears to be heavily obfuscated in order to confuse anti-malware engines and discourage static analysis.
However, after a general cleaning process, it is possible to clarify what this first set of malicious instructions have been designed to perform. Below is a summary of the entire infection cycle performed starting from enabling the macro:
- The first macro copies its own document file to the %temp% folder.
- It decrypts the second stage module and modify the REG_KEY “HKCU\Software\Microsoft\Office\14.0\Word\Security\AccessVBOM” in order to set its value to “1”, as showed following:
Through this change, the actor is now able to create and use macro-based self-replicating malware. Then, it is possible to obtain this result taking advantage of fact that a registry key value dictates whether external macros can be trusted or not. Indeed, by changing the value of such a registry key, all macros can be put into trusted zone. In a nutshell, this feature allows macros to write more macros.
Despite the potential illicit uses, seems that Microsoft doesn’t regard this as security issue. Instead, Microsoft claims that the feature works to function like this.
- At this point, the second macro is written into the document under %temp%. After this, a fake error message is then shown.3The second stage code is quite similar to the previous with the difference that it is self referencing in the modification of its own components. It retrieves the content of its self document (now under the %temp%) and modify it in order to replace the current module with a third stage code.
Finally, the third payload is capable to perform code injection to finalize the infection of the system. Finally, it calls a function aimed at continuing the infection cycle.
// OceanLotus: code snippet
Following, an interesting code snippet:
Quite simple enough to guess, then, functions visible above will support a code injection activity into winword.exe that will lead to the final backdoor execution. The routine aimed at code injection are capable to differentiate between 32 and 64 bit architectures, and rely on different functions on this basis.
Thus, this code allocates a memory region and write in it the first loader, showed in the next figure:
Particularly, the initial loader contains the final backdoor (in an encrypted form) and an obfuscated shellcode with junked opcodes:
Once executed, it works in memory performing actions aimed at resolving the API functions VirtualAlloc, RtlZeroMemory and RtlMoveMemory.
It goes to recostruct the whole malware set and to run further malicious components aimed at a first system recognition and at the execution of typical routines which can be observed into pieces of malware designed for remote control and espionage operations.
The header of the embedded PE is then retrieved through the following RC4 decrypting loop:
Indeed, the malicious PE appers to be allocated in a currupted form and re-assembled on the fly.
Anyway, once initialized, the backdoor resources are loaded in memory and the configuration data are decrypted.
Also, here we can find CnC details After the initialization is completed, the backdoor starts to communicate with the C2 available in the config data through the HTTP protocol and POST mode.
The backdoor, therefore, appears to be capable to communicate outside in different way supporting SOCKS communications as well, after trying connectivity by resolving legitimate services over HTTPS/443.
If the connection succeeds, the first (out of three) remote CnC URLs is retrieved.
We show a snippet of the in-memory workload below:
The URL composing algorithms is similar to that already spotted out by ESET researchers previously and we will not replicate it here.
Anyway, the full composed URL looks like the following:
The list of CnC extracted for this specific backdoor variant are:
and the following is an example of a potential malicious request:
Therefore, according to the evidences found and on the basis of other research papers about this threat group, we attest with an high degree of confidence that this operation has been carried out by the group commonly known as APT32 (aka OceanLotus).
OceanLotus is thus a very active threat. Recently, many cyber operations and breaches have been attributed to this elite hacker group. In short, this extensive activity could be the consequence of the multiple interests to which the group focuses its attention.
These interests in fact range from capturing documentation concerning industrial and technological secrets to the information superiority in the geo-political sphere regarding the area of South-East Asia.
OceanLotus continues to pay close attention in order to operate under the radar. Also in this case it was possible to highlight techniques aiming at the obfuscation and encryption of malicious payloads.
Such techniques, although widely used for a long time both in criminal field than in the operations aimed at cyber espionage, still guarantee a high degree of stealth during the infection cycle of a target system.
// Indicators of Compromise
Finally, additional Indicators of Compromise, the full malware set, Yara and other detection rules are available subscribing a Telsy CTI service.