With the ultimate purpose of cyber espionage and intellectual property theft, OceanLotus, which has been active since at least 2012, has a history of targeting government and corporate networks in East Asian nations, especially Vietnam, the Philippines, Laos, and Cambodia. Attack chains usually employ spear-phishing lures as the first penetration vector in order to distribute backdoors that have the ability to execute any shellcode and gather private data. However, as early as 2018, the APT was also seen planning watering hole activities in an attempt to either capture login credentials or infect site users with a reconnaissance payload.

Researchers recently put together a series of attacks that involved four hosts, each of which had been compromised to add different scheduled tasks and Windows Registry keys that trigger Cobalt Strike Beacons, a backdoor that allows Google Chrome cookies for every user profile on the system to be stolen, and loaders that trigger embedded DLL payloads. This development coincides with a campaign that is reportedly targeting South Korean users and using spear-phishing and weak Microsoft Exchange servers to spread reverse shells, backdoors, and VNC malware that takes over compromised devices and retrieves passwords from web browsers.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Code Execution
• Credential Theft

Indicators of Compromise

Domain Name

• hx-in-f211.popfan.org
• priv.manuelleake.com
• blank.eatherurg.com
• cdn.arlialter.com
• fbcn.enantor.com
• ww1.erabend.com

IP

• 51.81.29.44
• 5.230.35.192
• 185.43.220.188
• 193.107.109.148
• 176.103.63.48

MD5

• 351f45571fd7039de0241245aa85731f
• a1a062f8a453451c04cbce791c4d8c98
• 884d46c01c762ad6ddd2759fd921bf71

SHA-256

• c03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf9595
• a217fe01b34479c71d3a7a524cb3857809e575cd223d2dd6666cdd47bd286cd6
• 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA-1

• 2ff66d370f7cedc92585c6abb37ef01b36ae6439
• 878a66af12b68b88770bfee4963b4d8e881e434c
• d201b130232e0ea411daa23c1ba2892fe6468712

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Maintain daily backups of all computer networks and servers.
• Keep operating systems and software up to date as threat actors often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.