ti.qianxin.com Open in urlscan Pro
103.114.158.137  Public Scan

Form analysis
0 forms found in the DOM

Text Content

返回 TI 主页

RESEARCH

数 据 驱 动 安 全

New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to
Deliver Tromas

2024-11-04 By 奇安信威胁情报中心 | 事件追踪

PDF IOC


OVERVIEW

During recent daily operations, the QiAnXin Threat Intelligence Center
discovered that the new OceanLotus group, which we have been continuously
tracking since mid-2022, has begun to re-activate and is using a new tactic of
MSI file misuse. Even though the MSI TRANSFORMS technique was theoretically
disclosed in 2022[1], this is the first time that we have ever captured an APT
campaign targeting a domestic governmental enterprise.

We currently divide the APT-Q-31 (OceanLotus) group into two attack sets, after
we have observed for a long time that the old and new OceanLotus carry out
espionage activities against the country alternately every year through rounds
of warfare, and that the two attack sets have completely different TTPs, but
share attack resources. The last time the new OceanLotus group was active was at
the end of 2023, so far it has been exactly one year. The execution chain of
this spear mail campaign is as follows:



We recommend that government and enterprise customers deploy QAX Endpoint
Detection and Response (EDR) in both office and server areas, which can realize
the discovery and blocking of generic threats with the cloud checking function
enabled.





INTRODUCTION TO MST DOCUMENTATION



The New OceanLotus group executed the following command line via lnk:

msiexec\.exe /qn /i WindowsPCHealthCheckSetup\.msi TRANSFORMS=msGFG\.mst


Where WindowsPCHealthCheckSetup.msi is the official and legal installation
package provided by Microsoft



MSI TRANSFORMS parameter of the malicious use of the way outside the blog has
been introduced [1], MST internal executable module will generally have two
export functions are LogSetupAfterInstall and LogSetupBeforeInstall, used to
control the process of msi installation process.



Landing additional DLL and persistence operations can be implemented in these
two export functions:



The final effect of DLL-Sideloading is achieved with a memory-loaded payload for
the RUST Trojan that has been missing for a year, with the difference from 2023
being that the attacker completely shellcode-ized the RUST Trojan , deleting the
previous process of loading the PE file using generic shellcode reflection to
achieve memory countermeasures. We also observed that New OceanLotus used the
Mingw-w64 codebase for most of the dozen or so loaders it has written, a habit
that has continued from 2022 to the present, whereas the codebase never appeared
in any of the loaders released by the old OceanLotus attack set in the first
half of 2024.



We will disclose information about the complex memory state TTP used by the New
OceanLotus group in 2023 at a later date this year.



MSI ABUSE

MSI as a clichéd universal payload in recent years has been used by various
threat behavior groups, analysis methods and processes offshore friends have
also been shared [2], we are from the point of view of MSI exploitation
techniques, talk about the last two years in all directions of the APT gangs on
the use of MSI.

MEDIA TABLE

Bitter, APT-Q-27, APT-Q-15 (Darkhotel), CNC and other APT group will be
compressed in the cab malicious components, in the msi installation process to
release and execute, which is currently the most common exploitation techniques,
the disadvantage is that the malicious components with the installation of the
MSI will be landed on the disk, a more test of the attacker's sustained
exemption from the kill technology.




CUSTOMACTION TABLE

Various types of custom actions are supported in CustomAction, and attackers
have a richer room for manipulation, for example, the Bitter group calls a
third-party powershell interpreter with signatures in the CustomAction table to
execute powershell scripts.



While APT-Q-15 (Darkhotel), in its espionage activities against North Koreans,
drops malicious North Korean font MSI installation packages, adds the Trojan
module core.dll to the customAction table, and in contrast to the malicious
module inserted in the Media table, core.dll doesn't land during the msi
installation process, and the system process msiexec will start a separate
sub-process memory to load this DLL, thus achieving the effect of LOLBINS.



It also does not affect the installation process of the kpkm2024.ttf font:




MST DOCUMENTATION

Only the New OceanLotus tissue has been observed utilizing this technique.



SUMMARIZE

Currently, the full line of products based on the threat intelligence data from
the QiAnXin Threat Intelligence Center, including the QiAnXin Threat
Intelligence Platform (TIP), QAX Endpoint Detection and Response (EDR) , SkyEye
Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational
Awareness, already support the accurate detection of such attacks.





IOC

CC is no longer valid and therefore not available

MD5:

309a3a8f4d075d5d43d81d6357075b22

46623db76d5ff6b2ec5734fb84bade8e



REFERENCE LINKS

[1].https://mgeeky.tech/msi-shenanigans-part-1/

[2].
https://intezer.com/blog/incident-response/how-to-analyze-malicious-msi-installer-files/

APT SOUTHEAST ASIA OCEANLOTUS MSI TRANSFORMS
分享到：
首页
New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to
Deliver Tromas