OceanLotus

The OceanLotus group, also known as APT32 and APT-C-00, mainly targets companies and governments with networks in East Asian countries, including China, the Philippines and Vietnam. This group consistently updates their infrastructure, backdoors and infection vectors to bypass the latest security measures. One of their recently developed backdoors utilizes several innovative techniques to try and convince users to execute the backdoor (ie. via a phishing campaign or a watering hole attack). This advanced backdoor can also implement software that slows down threat detection and analysis. One of the main delivery mechanisms for OceanLotus is malicious spam campaigns featuring weaponized attachments. These campaigns utilize malware droppers that verify that the system is vulnerable prior to executing the attack. Another common delivery method is a watering hole attack, which uses several fake installers that claim to be legitimate installers or updates for popular software. The whole process of installation and execution relies heavily on multiple layers of obfuscation such as decryption of payloads, portable executable, reconstruction and loading shellcode and side-loading techniques.

The side-loading technique is used for installation of the backdoor. It takes advantage of the library loading process of a legitimate and signed executable by writing a malicious library inside the same folder. The backdoor uses DNS tunneling for data exfiltration and command and control callbacks with attacker servers that are hosted on a Fast Flux Network.

There are several techniques Umbrella uses to detect and block malicious activity associated with OceanLotus. First, Umbrella’s DNS tunneling capability instantly detects and blocks DNS abuse attempts in real-time. Additionally, Umbrella’s Fast Flux classifier is able to proactively discover Fast Flux infrastructure and block any attempts for command and control callbacks.

Umbrella also blocks domains that are tied to malicious files and IP addresses associated with OceanLotus IOCs. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block malicious files before they are downloaded; AMP detects OceanLotus APT malware as Trojan.Win32.OCEANLOTUS.THABOEAH and Umbrella proactively blocks the threat.

robstustral.club, adineohler.com, aisicoin.com, alicervois.com, anessallie.com, antenham.com, arinaurna.com, arkoimmerma.com, aulolloy.com, avidilleneu.com, avidsontre.com, aximilian.com, biasatts.com, braydenhateaub.com carosseda.com, chascloud.com, dreyoddu.com, dwarduong.com, eckenbaue.com, eighrimeau.com, errellawle.com, erstin.com, frahreiner.com, hieryells.com, hristophe.com, ichardt.com, icmannaws.com, iecopeland.com, irkaimboeuf.com, jamedalue.com, jamyer.com, jeanessbinder.com, jeffreyue.com, keoucha.com, laudiaouc.com, lbertussbau.com, loridanase.com, marrmann.com, meroque.com, moureuxacv.com, myolton.com, nasahlaes.com, ntjeilliams.com, omasicase.com, onnaha.com, onteagle.com, orinneamoure.com, orresto.com, orrislark.com, rackerasr.com, rcuselynac.com, sanauer.com, stopherau.com, tefanie.com, tefanortin.com, tephens.com, traveroyce.com, tsworthoa.com, ucaargo.com, ucairtz.com, urnage.com, venionne.com, virginiaar.com