www.welivesecurity.com
Open in
urlscan Pro
2a02:26f0:480:f::213:7ed3
Public Scan
URL:
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
Submission: On November 07 via api from US — Scanned from DE
Submission: On November 07 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>POST https://enjoy.eset.com/pub/rf
<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
<div class="search-input clearfix">
<input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
<input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
<input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
<input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
<input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
<input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
<input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
<button class="button-flag"> Submit </button>
</div>
</form>POST https://enjoy.eset.com/pub/rf
<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
<div class="search-input clearfix">
<input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
<input type="hidden" name="NEWSLETTER" value="We Live Security">
<input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
<input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
<input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
<input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
<input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
<button class=""> Submit </button>
</div>
</form>Text Content
In English * Em Português * En français * En Español * In Deutsch Menu toggle menu * All Posts * Ukraine Crisis – Digital Security Resource Center * We Live Progress * Research * How To * Videos * Conference Materials * White Papers * Threat Reports * Our Experts * Em Português * En français * En Español * In Deutsch Award-winning news, views, and insight from the ESET security community OCEANLOTUS SHIPS NEW BACKDOOR USING OLD TRICKS To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind. Tomáš Foltýn 13 Mar 2018 - 09:55AM Share To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind. ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus, also dubbed APT32 and APT-C-00. A prolific purveyor of malware, OceanLotus has its sights set on high-profile corporate and government targets in Southeast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The apparently well-resourced and determined group, is known for integrating its custom-built creations with techniques long known to be successful. OceanLotus certainly isn’t resting on its laurels while pursuing its goals that include cyberespionage, reconnaissance and intellectual property theft. One of the group’s latest backdoors is a fully-fledged malicious tool that gives its operators remote access to a compromised machine. The backdoor contains a suite of functionalities, notably a number of tools for file, registry and process manipulation, as well as the loading of additional components. To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind. THE RUSE The attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon. When the victim clicks on the attachment, the dropper opens a password-protected document that is intended as a ‘red herring’ to divert the victim’s attention while the dropper goes about its nefarious business. No software exploits are needed. The attackers use a number of decoy documents. To boost its aura of authenticity, each file has a rather carefully crafted – and usually English – name. ESET detects the files as Win32/TrojanDropper.Agent.RUI. In addition, OceanLotus is also known to use ‘watering hole attacks’, which involve the compromise of a website that the victim is likely to visit. In this scenario, the ‘prey’ is tricked into downloading and executing a fake installer or fake update for popular software from the booby-trapped website. Whatever the method of compromise, ultimately the same backdoor is deployed. The watering hole technique has probably been used to distribute a dropper called RobototFontUpdate.exe, which is a fake updater for the Roboto Slab regular font and features in our analysis below. UNDER THE HOOD Figure 1. Dropper execution flow The components of the dropper package are executed in a number of steps; each stage involves a heavy dose of code obfuscation that is designed to shield the malware from detection. To lead researchers and anti-malware software further astray, some garbage code is also included. If run with administrator privileges, the dropper creates a Windows service that establishes persistence on the system (so that the malware will survive a reboot). Otherwise, the same goal is achieved by tampering with the operating system’s registry. In addition, the package drops an application whose sole purpose is to delete the ‘lure document’ once it fulfills its mission. Figure 2. Backdoor execution flow Importantly, two more files are dropped and come into play during this stage – a digitally-signed executable from a major, legitimate software developer and a malicious Dynamic Link Library (DLL) named after one used by the legitimate executable. The two files figure in a tried-and-tested trick called ‘DLL side-loading’, which consists in co-opting a legitimate application’s library-loading process by planting a malicious DLL inside the same folder as the signed executable. This is a way to remain under the radar, since a trusted application with a valid signature is less likely to arouse suspicion. In campaigns utilizing these new OceanLotus tools, we have seen deployed, among others, the genuine signed executables RasTlsc.exe from Symantec and mcoemcpy.exe from McAfee. When run, these programs call, respectively, the maliciously supplied rastls.dll (detected by ESET as Win32/Salgorea.BD) and McUtil.dll (detected as Win32/Korplug.MK). Figure 3. Symantec rastlsc.exe digital signature THE BACKDOOR OPENS Once decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer and user names and the operating system version, before waiting for commands to carry out its main mission. A number of domain names and IP addresses are used for the command-and-control (C&C) infrastructure. All communication with the C&C servers is encrypted. It can be readily unscrambled, however, as the decryption key is prepended to the data. Our deep dive (see the link below) into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations. The group clearly goes to great lengths in order to bypass detection for its malware and, ultimately, to ‘muddy the waters’ for researchers. A detailed analysis may be read in the white paper: OceanLotus: Old techniques, new backdoor Tomáš Foltýn 13 Mar 2018 - 09:55AM SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER Submit NEWSLETTER Submit SIMILAR ARTICLES Malware HOW EMOTET IS CHANGING TACTICS IN RESPONSE TO MICROSOFT’S TIGHTENING OF OFFICE MACRO SECURITY ESET Research SANDWORM USES A NEW VERSION OF ARGUEPATCH TO ATTACK TARGETS IN UKRAINE ESET Research WATERING HOLE DEPLOYS NEW MACOS MALWARE, DAZZLESPY, IN ASIA Malware VIRUS BULLETIN: OLD MALWARE NEVER DIES – IT JUST GETS MORE TARGETED DISCUSSION * Home * About Us * Contact Us * Sitemap * Our Experts * ESET * Research * How To * Categories * RSS Configurator Privacy policy Legal information Manage cookies Copyright © ESET, All Rights Reserved Back to top Your account, your cookies choice We and our partners use cookies to give you the best optimized online experience, analyze our website traffic, and serve you with personalized ads. You can agree to the collection of all cookies by clicking "Accept all and close" or adjust your cookie settings by clicking "Manage cookies". You also have the right to withdraw your consent to cookies anytime. For more information, please see our Cookie Policy. Accept all and close Manage cookies Essential cookies These first-party cookies are necessary for the functioning and security of our website and the services you require. They are usually set in response to your actions to enable the use of certain functionality, such as remembering your cookie preferences, logging in, or holding items in your cart. You can´t opt out of these cookies, and blocking them via a browser may affect site functionality. Basic Analytical Cookies These first-party cookies enable us to measure the number of visitors/users of our website and create aggregated usage and performance statistics with the help of our trusted partners. We use them to get the basic insight into our website traffic and our campaign performance and to solve bugs on our website. Advanced Analytical Cookies These first or third-party cookies help us understand how you interact with our website and each offered service by enriching our datasets with data from third-party tools. We use these cookies to improve our website, services, and user experience, find and solve bugs or other problems with them, and evaluate our campaigns´ effectiveness. Marketing cookies These third-party cookies allow our marketing partners to track some of your activities on our website (for example, when you download or buy our product) to learn about your interests and needs and to show you more relevant targeted ads. Accept and close Back