In last days of March, Telsy TRT captured same malicious macro armed documents likely tergeting ASEAN affairs and meeting members. Telemetry and spreading statistics related to these decoy documents highlight their diffusion in the geographical area of Thailand. According with OSINT information, the 34th ASEAN Meeting will be held in Bangkok, Thailand, on June 2019.

These malicious documents have been designed to induce the victims to enable a macro code that will lead to an in-memory payload injection through the use of layered obfuscation techniques.

At the time of analysis, the full infection cycle showed a very low detection rate in comparison with the major anti-malware solutions.

On the basis of the evidences found, we attribute this operation, with an high degree of confidence, to the APT32 / OceanLotus group.

// Comparative Analysis

We performed a first statical, attribution and similarity analysis over our own Telsy CTI platform for one of the malicious documents, in order to better understand what we had in front, obtaining the following results:

Telsy CTI Platform – Malware Attribution Module Results over an OceanLotus Spear-Phishing document

From this moment on, it was quite clear for us which actor we should have to refer in relation to any interests in the geographical area where samples has been collected.

// Insights

The initial attack payloads are Microsoft Office Word documents, but no specific vulnerabilities are used. Instead, in this case, the infection cycle is carried out through embedding layered macro code in them, triggering subsequent malicious behavior and finally implanting the backdoor to the target host.

According to some evidences collected, the design of the campaign seems to have started at the end of January 2019.

In order to execute the macro code in the context of the victim system, the attacker instructs the user to click on “enable content” in the body of the document.

The following a screenshot of how the graphical content appears after a forced dynamic execution:

Forced Dynamic Executing over an OceanLotus Spear-Phishing document

and an extraction of the first stage macro code executed:

1st Malicious Macro Code

The script appears to be heavily obfuscated in order to confuse anti-malware engines and discourage static analysis.

However, after a general cleaning process, it is possible to clarify what this first set of malicious instructions have been designed to perform. Below is a summary of the entire infection cycle performed starting from enabling the macro:

  • The first macro copies its own document file to the %temp% folder.
  • It decrypts the second stage module and modify the REG_KEY “HKCU\Software\Microsoft\Office\14.0\Word\Security\AccessVBOM” in order to set its value to “1”, as showed following:
2nd stage Macro code Snippet

Through this change, the actor is now able to create and use macro-based self-replicating malware. It is possible to obtain this result taking advantage of fact that a registry key value dictates whether external macros can be trusted or not. Indeed, by changing the value of such a registry key, all macros can be put into trusted zone. In a nutshell, this feature allows macros to write more macros.

Despite the potential illicit uses, seems that Microsoft doesn’t regard this as security issue. Instead, Microsoft claims that the feature is designed to function like this.

  • At this point, the second macro is written into the document under %temp%. After this, a fake error message is then shown.3The second stage code is quite similar to the previous with the difference that it is self referencing in the modification of its own components. It retrieves the content of its self document (now under the %temp%) and modify it in order to replace the current module with a third stage code.

Finally, the third payload is capable to perform code injection to finalize the infection of the system. Finally, it calls a function aimed at continuing the infection cycle.

Following, an interesting code snippet:

3th stage Macro code snippet

Quite simple enough to guess, functions visible above will support a code injection activity into winword.exe that will lead to the final backdoor execution. The routine aimed at code injection are capable to differentiate between 32 and 64 bit architectures, and rely on different functions on this basis.

This code allocates a memory region and write in it the first loader, showed in the next figure:

Initial malicious payload

The initial loader contains the final backdoor (in an encrypted form) and an obfuscated shellcode with junked opcodes:

Obfuscated Payload

Once executed, it works in memory performing actions aimed at resolving the API functions VirtualAlloc, RtlZeroMemory and RtlMoveMemory.

It goes to recostruct the whole malware set and to run further malicious components aimed at a first system recognition and at the execution of typical routines which can be observed into pieces of malware designed for remote control and espionage operations.

The header of the embedded PE is then retrieved through the following RC4 decrypting loop:

RC4 loop

The malicious PE appers to be allocated in a currupted form and re-assembled on the fly.

Anyway, once initialized, the backdoor resources are loaded in memory and the configuration data are decrypted.

Here we can find CnC details as well. After the initialization is completed, the backdoor starts to communicate with the C2 available in the config data through the HTTP protocol and POST mode.

The backdoor appears to be capable to communicate outside in different way supporting SOCKS communications as well, after trying connectivity by resolving legitimate services over HTTPS/443.

If the connection succeeds, the first (out of three) remote CnC URLs is retrieved.

A snippet of the in-memory workload is shown below:

In-memory backdoor workload

The URL composing algorithms is similar to that already spotted out by ESET researchers previously and will be not replicated here.

Anyway, the full composed URL looks like the following:

In-memory composing routine

The list of CnC extracted for this specific backdoor variant are:

[+] copy.byronorenstein[.]com

[+] suricata.radeordaunt[.]com

[+] online.stienollmache[.]xyz

and the following is an example of a potential malicious request:

External HTTPS/POST request

// Attribution

According to the evidences found and on the basis of other research papers about this threat group, we attest with an high degree of confidence that this operation has been carried out by the group commonly known as APT32 (aka OceanLotus). 

OceanLotus is a very active threat. Recently, many cyber operations and breaches have been attributed to this elite hacker group. This extensive activity could be the consequence of the multiple interests to which the group focuses its attention.

These interests in fact range from capturing documentation concerning industrial and technological secrets to the information superiority in the geo-political sphere regarding the area of South-East Asia.

OceanLotus continues to pay close attention in order to operate under the radar. Also in this case it was possible to highlight techniques aiming at the obfuscation and encryption of malicious payloads.

Such techniques, although widely used for a long time both in criminal field than in the operations aimed at cyber espionage, still guarantee a high degree of stealth during the infection cycle of a target system.

// Indicators of Compromise

SHA256 55F8D95FC330B1E9519DC572E4ACF8E751387C090F7A640B8EC0257A006212BB
SHA256 A8A3109EBF8AA732D4079DD484D326A9941E63029E188A2E2605B9A8A84C3D93
SHA256 61B8CF99D4C2C8A49827A5EE9D0E329CB2BA476F5C70E9EAF5FA0A144ED7BBB2
CnC copy.byronorenstein.com
CnC suricata.radeordaunt.com
CnC snort.lauradesnoyers.com
CnC clipboard.christienoll.xyz
CnC att.illagedrivestralia.xyz
CnC online.stienollmache.xyz
IP 185.158.113.114
RKEY HKCU\SOFTWARE\Classes\CLSID{E3517E26-8E93-458D-A6DF-8030BC80528B}

Additional Indicators of Compromise, the full malware set, Yara and other detection rules are available subscribing a Telsy CTI service.