OceanLotus: New Backdoor, Old Schemes
The OceanLotus Group (aka APT32 and APT-C-00) is known for its attacks in East Asia. A number of studies on the group’s work were published last year, including CyberReason documents, a FireEye review, and a description of the watering-hole of the Volexity attack. As we can see, the group updates the backdoors, infrastructure and infection vectors.
OceanLotus continues to target companies and government agencies in East Asian countries. According to ESET telemetry, OceanLotus’s priorities are in Vietnam, Laos, Cambodia and the Philippines.
A few months ago, we discovered and analyzed one of their newest backdoors. It implements several tools that make it difficult to analyze and avoid detection - they will be discussed in a post.
')
To convince the victim to launch a malicious dropper, the attackers use different methods.
There is a chance that droppers are distributed via email attachments. We observed the following file names:
-
-
-
-
-
-
-
All of these files have something in common - launching a password-protected bait document. It is unclear whether somewhere in the data of the transmitted letter is a password, or the document should not open.
Several fake installers pretending to be installers or software updates were seen in watering hole campaigns. One example is the repackaged Firefox installer described by 360 Labs on Freebuf (in Chinese).
Another sample we saw was called
All described files, whether they were distributed via mail or downloaded when visiting a compromised site, delivered the same backdoor component. In the post, we will analyze the sample of
The installation and execution process depends on multi-layer obfuscation, namely, component encryption, PE file reconstruction, shell-code loading and side-loading technology (fill). The latter was described in a previous ESET study on the Korplug .
The attack consists of two parts: the dropper and the launcher. Each step of each part of the process will be explained in detail in the appropriate section. The two schemes below provide a brief overview of the overall progress of malware.
Figure 1. Dropper progress
Figure 2. Backdoor progress
Almost all of these components are obfuscated. Obfuscation is based on teams of a pair of complementary conditional transition. For each of the forms: JZ / JNZ, JP / JNP, JO / JNO, and so on, each pair makes the transition to the same goal. The sequence is interspersed with garbage code that uses the stack pointer, but does not change the value of the conditional flag. It turns out that the transition takes place within one branch. This leads to problems in the decompilation process due to the use of positive values of the stack pointer.
Figure 3. Complementary conditional transition
In addition, some basic program elements add one address to the stack, and then end on a JMP / CALL, while other basic elements add two addresses and end with the RET command. The second addition of the element is the called function, and the first is the address of the next basic program element where the transition will be made. Thus, the basic elements of the program are created without parent objects.
Figure 4. PUSH / JMP Technique
As a result of a combination of two obfuscation techniques, “beautiful” graphics are obtained:
Figure 5. Obfuscating the run sequence
It's easy to notice the trash code. It can be ignored when analyzing samples, if you know the scheme of application.
In recent months, OceanLotus used several baits. One of them is the fake font update software
Figure 6. RobototFontUpdate font update icon
When executing, a binary file decrypts its resources (XOR, 128 bytes, hard-coded key) and recovers decrypted data (LZMA). Legitimate RobotoSlab-Regular.ttf file
(SHA1:
The shellcode is executed, decoded from resources. After performing the fake font update, it injects another application, whose sole purpose is to remove the dropper. This "erase" application is implemented as
The same shellcode is applied at each stage.
Shell code - custom PE loader. It restores the executable file in memory - decrypts all sections and calculates the necessary movements and other indents. Shell code uses three Windows API functions:
The
The shell code calls the input function in the decrypted PE, and then the export function
This executable file decrypts resources using the AES algorithm in CBC mode through the Windows API. Hard-coded key has a size of 256 bits. After decryption, the compressed data is unpacked (LZMA algorithm).
If the process is run as an administrator, the malware ensures persistence by creating a service. Otherwise, the classic Run registry key is used (
If the dropper code is executed with administrator rights, it tries to write the files listed below into the folder
-
-
-
The path varies from sample to sample, but the pattern is similar. Depending on the rights, the malware resets files to
-
-
-
These paths are used by various Symantec products.
After reaching persistence and implementing an executable file, a legitimate file,
We also observed the version (
The OceanLotus team uses an old and well-known technique in one of the Symantec executables. The bottom line is to use the process of loading a legitimate and signed .exe library file by writing a malicious library into the same folder. This will make the malicious behavior look legitimate, since these actions are performed during the operation of the trusted executable file.
As mentioned above, the legitimate
It imports the
Figure 7. Digital signature rastlsc.exe from Symantec
We also saw a fill using other legitimate and signed executable files, including
The internal name of the dll file is
Figure 8. All rasltls.dll exports lead to the execution of a single function
The export tries to read the
Option
To create a shellcode, use the following pseudocode:
Below in the picture you can see the listing of the result of the assembly:
Figure 9. Generated shellcode
Shell code decrypts and loads the library
Option
First, the malware tries to download its resources and decrypt them using the RC4 algorithm. The resulting resources contain the data used to configure the backdoor. The configuration format is easy to learn. Using the Kaitai struct and its dumper structure, we get the following:
Figure 10. Configuration structure
Note : with the exception of the domain_encoding_str string and the httpprov library, data changes from sample to sample. The registry keys are almost the same, but they have a similar scheme:
The malicious program receives the first 10 bytes of the username (UTF-16), korit them with a three-letter string
The backdoor includes a PE loader that loads the
The backdoor uses the standard TCP communication protocol on port
The malware selects one of the three domains from the configuration and adds a special subdomain, which is generated using two values. The first value is the computer name within the length of 16 bytes. The second is a four-byte version ID. The code in Python 2 below is a coding algorithm:
For example, if the computer name is
For the C & C server label of this backdoor, you can use the following regular expression:
If the IP address belongs to a specific domain, malware tries to establish a TCP connection through port
The communication process is RC4 encrypted and compressed using LZMA. It is possible to decrypt traffic, as the key is added to the beginning of the packets. The format is as follows:
Each key byte is generated by the
The first time the client connects to the server, a UUID is sent, which is used as the session ID. The latter is stored in the registry key as binary data:
As we said earlier, the backdoor also contains a library called
After initialization, an entry will be created in the registry - a command for the backdoor to further use HTTP to communicate with the command server:
A standard client application is used:
The main characteristic of this library is a special algorithm for encrypting the universal resource identifier. The resource part of the URI is created using the following pseudocode:
Note : for clarity, the part responsible for checking the string length has been removed from the code.
To obtain an identifier from the generated string, add two numbers using a special sum check algorithm:
By adding the
After obtaining the SESSIONID session ID, the backdoor makes a digital fingerprint of the system. The package is built as follows (indent in the package - description):
0x000 - byte: the value changes in each version
0x001 - 0x01: hardcoded byte
0x002 - bool: the presence of elevated privileges
0x003 - dword: version ID
0x007 - string (UTF-16), computer name (max. 0x20)
0x027 - string (UTF-16), username
0x079 - the result of the query on the registry in
0x179 - the subsequent format of the string% s (% s); is replaced by (
0x279 - Physical disk, control I / O device PhysicalDrive deviceIOControl 0x2D1400 (IOCTL_STORAGE_QUERY_ PROPERTY) (VolSerialNumber)
0x379 - wmi
0x3f9 - Get the current date and time GetSystemTimeAsFileTime
0x400 - bool: unknown
0x401 - dword: received after decrypting a resource
Here is an example of a digital fingerprint system:
Figure 11. Digital Fingerprint System
This is a full-fledged backdoor, which provides its operators with a number of possibilities: manipulating the file, registry and processes, loading additional components, obtaining a digital fingerprint of the system. Below are the numbers and descriptions of supported commands:
0 - digital print
1 - sets the session ID
2 - creating a process and getting a result (using software channels)
3 - sets the count of connection attempts
4 - postpones polling time
5 - reads a file or registry key and counts MD5
6 - process creation
7 - creates a file, registry entry or stream in memory
8 - writes to the registry
9 - polls the registry
10 - looks for files in the system
11 - transfers files to another directory
12 - deletes files from disk
13 - getting a list of disks marked up in the system using the function
14 - creates a directory
15 - deletes the directory
16 - reads file from offset
17 - calls PE loader (transition to communication via
18 - [Unknown]
19 - 0: polling values in the registry; 1: implementation and execution of the program
20 - sets the environment variable
21 - launches shellcode in new thread
22 - returns the environment variable
+23 in the new version - restarts itself if the APPL environment variable does not exist
OceanLotus remains highly active and continues to update the toolkit.
The group seeks to hide its activities; to do this, attackers carefully select victims, limit the spread of malicious programs, use several servers in order not to draw attention to a single domain or IP address. Deciphering the component being injected and the fill technique (side-loading), despite being widely known, avoids detection, since the work of intruders in this case is disguised as a legitimate application.
OceanLotus continues to target companies and government agencies in East Asian countries. According to ESET telemetry, OceanLotus’s priorities are in Vietnam, Laos, Cambodia and the Philippines.
A few months ago, we discovered and analyzed one of their newest backdoors. It implements several tools that make it difficult to analyze and avoid detection - they will be discussed in a post.
')
Spread
To convince the victim to launch a malicious dropper, the attackers use different methods.
Dual extensions and fake application icons (Word, PDF, etc.)
There is a chance that droppers are distributed via email attachments. We observed the following file names:
-
Mi17 Technical issues - Phonesack Grp.exe (Mi-17 - Russian helicopter model)-
Chi tiet don khieu nai gui saigontel.exe (translated from Vietnamese - “details of the claim sent to Saigontel”, Saigontel is a Vietnamese telecommunications company)-
Updated AF MOD contract - Jan 2018.exe-
remove_pw_Reschedule of CISD Regular Meeting.exe-
Sorchornor_with_PM_-_Sep_2017.exe-
20170905-Evaluation Table.xls.exe-
CV_LeHoangThing.doc.exe (fake resumes were also found in Canada)All of these files have something in common - launching a password-protected bait document. It is unclear whether somewhere in the data of the transmitted letter is a password, or the document should not open.
Fake installers
Several fake installers pretending to be installers or software updates were seen in watering hole campaigns. One example is the repackaged Firefox installer described by 360 Labs on Freebuf (in Chinese).
Another sample we saw was called
RobototFontUpdate.exe . It probably spread through compromised sites, but we do not have sufficient evidence of this.All described files, whether they were distributed via mail or downloaded when visiting a compromised site, delivered the same backdoor component. In the post, we will analyze the sample of
RobototFontUpdate.exe and show how it manages to execute the malicious payload in the system.Technical analysis
The installation and execution process depends on multi-layer obfuscation, namely, component encryption, PE file reconstruction, shell-code loading and side-loading technology (fill). The latter was described in a previous ESET study on the Korplug .
Review progress
The attack consists of two parts: the dropper and the launcher. Each step of each part of the process will be explained in detail in the appropriate section. The two schemes below provide a brief overview of the overall progress of malware.
Figure 1. Dropper progress
Figure 2. Backdoor progress
Almost all of these components are obfuscated. Obfuscation is based on teams of a pair of complementary conditional transition. For each of the forms: JZ / JNZ, JP / JNP, JO / JNO, and so on, each pair makes the transition to the same goal. The sequence is interspersed with garbage code that uses the stack pointer, but does not change the value of the conditional flag. It turns out that the transition takes place within one branch. This leads to problems in the decompilation process due to the use of positive values of the stack pointer.
Figure 3. Complementary conditional transition
In addition, some basic program elements add one address to the stack, and then end on a JMP / CALL, while other basic elements add two addresses and end with the RET command. The second addition of the element is the called function, and the first is the address of the next basic program element where the transition will be made. Thus, the basic elements of the program are created without parent objects.
Figure 4. PUSH / JMP Technique
As a result of a combination of two obfuscation techniques, “beautiful” graphics are obtained:
Figure 5. Obfuscating the run sequence
It's easy to notice the trash code. It can be ignored when analyzing samples, if you know the scheme of application.
Dropper
Stage 1. Bait Document
In recent months, OceanLotus used several baits. One of them is the fake font update software
Roboto Slab regular TrueType. Font selection seems a bit strange, as it does not support many East Asian languages.Figure 6. RobototFontUpdate font update icon
When executing, a binary file decrypts its resources (XOR, 128 bytes, hard-coded key) and recovers decrypted data (LZMA). Legitimate RobotoSlab-Regular.ttf file
(SHA1:
912895e6bb9e05af3a1e58a1da417e992a71a324 ) is written to the %temp% folder and is launched using the Win32 API function ShellExecute .The shellcode is executed, decoded from resources. After performing the fake font update, it injects another application, whose sole purpose is to remove the dropper. This "erase" application is implemented as
%temp%\[0-9].tmp.exe .Stage 2. Shell Code
The same shellcode is applied at each stage.
Shell code - custom PE loader. It restores the executable file in memory - decrypts all sections and calculates the necessary movements and other indents. Shell code uses three Windows API functions:
VirtualAlloc , RtlMoveMemory and RtlZeroMemory .The
RtlZeroMemory function RtlZeroMemory used to reset fields in the PE header. It is impossible to rely on automatic memory dump, because the MZ / PE headers are damaged.The shell code calls the input function in the decrypted PE, and then the export function
DLLEntry .Stage 3. Real Dropper
{103004A5-829C-418E-ACE9-A7615D30E125}.dllThis executable file decrypts resources using the AES algorithm in CBC mode through the Windows API. Hard-coded key has a size of 256 bits. After decryption, the compressed data is unpacked (LZMA algorithm).
If the process is run as an administrator, the malware ensures persistence by creating a service. Otherwise, the classic Run registry key is used (
HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run;DeviceAssociationService;rastlsc.exe ).If the dropper code is executed with administrator rights, it tries to write the files listed below into the folder
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\ , if not, it writes them to the %APPDATA%\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\ folder %APPDATA%\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\ :-
rastlsc.exe (SHA1: 2616da1697f7c764ee7fb558887a6a3279861fac , copy of the legitimate Symantec Network Access Control application, dot1xtra.exe )-
SyLog.bin (SHA1: 5689448b4b6260ec9c35f129df8b8f2622c66a45 , encrypted backdoor)-
rastls.dll (SHA1: 82e579bd49d69845133c9aa8585f8bd26736437b , malicious DLL that is being rastlsc.exe by rastlsc.exe )The path varies from sample to sample, but the pattern is similar. Depending on the rights, the malware resets files to
%ProgramFiles% or %appdata% . We also observed:-
\Symantec\CNG Key Isolation\-
\Symantec\Connected User Experiences and Telemetry\-
\Symantec\DevQuery Background Discovery Broker Tasks\These paths are used by various Symantec products.
After reaching persistence and implementing an executable file, a legitimate file,
rastlsc.exe , executed using CreateProcessW .We also observed the version (
{BB7BDEC9-B59D-492E-A4AF-4C7B1C9E646B}.dll ), which executes rastlsc.exe with the krv parameter. We will discuss in detail below.Backdoor component: rastlsc.exe fill
The OceanLotus team uses an old and well-known technique in one of the Symantec executables. The bottom line is to use the process of loading a legitimate and signed .exe library file by writing a malicious library into the same folder. This will make the malicious behavior look legitimate, since these actions are performed during the operation of the trusted executable file.
As mentioned above, the legitimate
rastlsc.exe file is reset and executed.It imports the
rastls.dll file, which in this case has malicious content.Figure 7. Digital signature rastlsc.exe from Symantec
We also saw a fill using other legitimate and signed executable files, including
mcoemcpy.exe from McAfee, which loads McUtil.dll . This technique was previously used by PlugX, which attracted the attention of Vietnam CERT (in Vietnamese).Stage 1. Filling the library, rastls.dll
The internal name of the dll file is
{7032F494-0562-4422-9C39-14230E095C52}.dll , but we have seen other versions, for example, {5248F13C-85F0-42DF-860D-1723EEAA4F90}.dll . All exported functions lead to the execution of the same function.Figure 8. All rasltls.dll exports lead to the execution of a single function
The export tries to read the
SyLog.bin file located in the same folder. Other versions tried to open the OUTLFLTR.DAT file. If the file exists, it will be decrypted using the AES algorithm in CBC mode with a hard-coded 256-bit key, and then the compressed data will be decompressed (LZMA compression).Option
McUtil.dll uses a different technique. At first glance, the main function does not perform anything malicious, but in fact it replaces the .text section of the legitimate mcoemcpy.exe file, a binary file. It generates a shellcode whose task is to call a function to read the encrypted shellcode of the second stage from the mcscentr.adf file.To create a shellcode, use the following pseudocode:
x = False i = 0
buff = genRandom()
opc1 = [0x58,0x59,0x5a,0x5b]
opc2 = [0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57]
opc3 = [0x90,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,
0x49,0x4a,0x4b]
while i < len(buff):
currentChar = buff[i] if currentChar < 0xc8:
buff[i] = opc1[currentChar % len(opc1)]
else:
if x:
buff[i] = opc2[currentChar % len(opc2)]
else:
buff[i] = opc3[currentChar % len(opc3)] x = x == False
i+=1Below in the picture you can see the listing of the result of the assembly:
Figure 9. Generated shellcode
Stages 2–4. Shell Code Launcher and Shell Code Again
Shell code decrypts and loads the library
{E1E4CBED-5690-4749-819D-24FB660DF55F}.dll . The library loads resources and tries to start the DeviceAssociationService service. The decrypted information also contains the shellcode. The latter decodes the final stage: the backdoor.Option
{92BA1818-0119-4F79-874E-E3BF79C355B8}.dll checks if rastlsc.exe executed with krv as the first parameter. If yes, the task is created, and rastlsc.exe is executed again, but without this parameter.Stage 5. Backdoor
{A96B020F-0000-466F-A96D-A91BBF8EAC96}.dllFirst, the malware tries to download its resources and decrypt them using the RC4 algorithm. The resulting resources contain the data used to configure the backdoor. The configuration format is easy to learn. Using the Kaitai struct and its dumper structure, we get the following:
Figure 10. Configuration structure
Note : with the exception of the domain_encoding_str string and the httpprov library, data changes from sample to sample. The registry keys are almost the same, but they have a similar scheme:
\HKCU\SOFTWARE\Classes\AppX[a-f0-9]{32} , nothing remarkable.The malicious program receives the first 10 bytes of the username (UTF-16), korit them with a three-letter string
mutex_encoding_str in UTF-16 and encodes in hexadecimal. The result is used as the name of the mutex. For example, for a user whose name begins with abc and a key in the form of vwx , the mutex will be \Sessions\1\BaseNamedObjects\170015001b .The backdoor includes a PE loader that loads the
HTTPProv.dll library into memory, calls an entry point, and then calls the CreateInstance export function.Communication
The backdoor uses the standard TCP communication protocol on port
25123 . To obtain the IP address of the server, the backdoor first creates a specific DNS query.The malware selects one of the three domains from the configuration and adds a special subdomain, which is generated using two values. The first value is the computer name within the length of 16 bytes. The second is a four-byte version ID. The code in Python 2 below is a coding algorithm:
letters=domain_encoding_str # “ghijklmnop” hex_pc_name=pc_name.encode(“UTF-16LE”).encode(“hex”) s=''
for c in hex_pc_name:
if 0x2f < ord(c) < 0x3a:
s+=letters[ord(c) - 0x30]
else:
s+=cFor example, if the computer name is
random-pc , and the version ID is 0x0a841523, then the following domain is generated:niggmhggmeggmkggmfggmdggidggngggmjgg.ijhlokga.dwarduong[.]comFor the C & C server label of this backdoor, you can use the following regular expression:
[ghijklmnopabcdef]{4-60}\.[ghijklmnopabcdef]{8}\.[az]+\.[az]+If the IP address belongs to a specific domain, malware tries to establish a TCP connection through port
25123 . Each sample has three different domain names that are used to search for a C & C server.The communication process is RC4 encrypted and compressed using LZMA. It is possible to decrypt traffic, as the key is added to the beginning of the packets. The format is as follows:
[ RC4 (4 )][ ]Each key byte is generated by the
rand function. After decrypting and unpacking a packet, the data has the following format:[dw:][dw:][dw: ][dw: ][dw:] [dw:]The first time the client connects to the server, a UUID is sent, which is used as the session ID. The latter is stored in the registry key as binary data:
HKCU\SOFTWARE\Classes\ AppXc52346ec40fb4061ad96be0e6cb7d16a\DefaultIconAs we said earlier, the backdoor also contains a library called
HTTPprov . It is used as an alternative way to communicate with the server. The DLL file sends a POST request via HTTP. It also supports HTTPS and proxy usage of SOCKS5, SOCKS4a and SOCKS4. The library is statically linked with libcurl .After initialization, an entry will be created in the registry - a command for the backdoor to further use HTTP to communicate with the command server:
HKCU\SOFTWARE\Classes\ CLSID{E3517E26-8E93-458D-A6DF-8030BC80528B} .A standard client application is used:
Mozilla/4.0 ( ; MSIE 8.0; Windows NT 6.0; Trident/4.0) .The main characteristic of this library is a special algorithm for encrypting the universal resource identifier. The resource part of the URI is created using the following pseudocode:
buffEnd = ((DWORD)genRand(4) % 20) + 10 + buff; while (buff < buffEnd){
b=genRand(16);
if (b[0] - 0x50 > 0x50)
t=0;
else
*buf++= UPPER(vowels[b[1] % 5]);
v=consonants[b[1]%21]); if (!t)
v=UPPER(v);
*buff++= v;
if (v!='h' && b[2] - 0x50 < 0x50)
*buff++= 'h';
*buff++= vowels[b[4] % 5];
if (b[5] < 0x60)
*buff++= vowels[b[6] % 5];
*buff++= consonants[b[7] % 21];
if (b[8] < 0x50)
*buff++= vowels[b[9] % 5];
*buff++= '-';
};
*buff='\0';Note : for clarity, the part responsible for checking the string length has been removed from the code.
To obtain an identifier from the generated string, add two numbers using a special sum check algorithm:
checksum=crc32(buff)
num2=(checksum >> 16) + (checksum & 0xffff) * 2
num1=(num2 ^ 1) & 0xf
URL=GENERATED_DOMAIN+ “/” + num1 + “/” + num2 + “-” + buffBy adding the
HTTPprov library URI generator, we get the following URL:hXXp://niggmhggmeggmkggmfggmdggidggngggmjgg.ijhlokga.aisicoin[.]com/ 13/139756-Ses-Ufali-LTeams
After obtaining the SESSIONID session ID, the backdoor makes a digital fingerprint of the system. The package is built as follows (indent in the package - description):
0x000 - byte: the value changes in each version
0x001 - 0x01: hardcoded byte
0x002 - bool: the presence of elevated privileges
0x003 - dword: version ID
0x007 - string (UTF-16), computer name (max. 0x20)
0x027 - string (UTF-16), username
0x079 - the result of the query on the registry in
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion values: ProductName , CSDVersion , CurrentVersion , ReleaseId , CurrentBuildNumber and the result of the call IsWow64Process (x86|x64)0x179 - the subsequent format of the string% s (% s); is replaced by (
GetVolumeInformationW:VolumeNameBuffer ), VolumePathNames0x279 - Physical disk, control I / O device PhysicalDrive deviceIOControl 0x2D1400 (IOCTL_STORAGE_QUERY_ PROPERTY) (VolSerialNumber)
0x379 - wmi
SELECT SerialNumber FROM Win32_BaseBoard0x3f9 - Get the current date and time GetSystemTimeAsFileTime
0x400 - bool: unknown
0x401 - dword: received after decrypting a resource
Here is an example of a digital fingerprint system:
Figure 11. Digital Fingerprint System
This is a full-fledged backdoor, which provides its operators with a number of possibilities: manipulating the file, registry and processes, loading additional components, obtaining a digital fingerprint of the system. Below are the numbers and descriptions of supported commands:
0 - digital print
1 - sets the session ID
2 - creating a process and getting a result (using software channels)
3 - sets the count of connection attempts
4 - postpones polling time
5 - reads a file or registry key and counts MD5
6 - process creation
7 - creates a file, registry entry or stream in memory
8 - writes to the registry
9 - polls the registry
10 - looks for files in the system
11 - transfers files to another directory
12 - deletes files from disk
13 - getting a list of disks marked up in the system using the function
GetLogicalDriveStringW14 - creates a directory
15 - deletes the directory
16 - reads file from offset
17 - calls PE loader (transition to communication via
HTTPprov )18 - [Unknown]
19 - 0: polling values in the registry; 1: implementation and execution of the program
20 - sets the environment variable
21 - launches shellcode in new thread
22 - returns the environment variable
+23 in the new version - restarts itself if the APPL environment variable does not exist
Conclusion
OceanLotus remains highly active and continues to update the toolkit.
The group seeks to hide its activities; to do this, attackers carefully select victims, limit the spread of malicious programs, use several servers in order not to draw attention to a single domain or IP address. Deciphering the component being injected and the fill technique (side-loading), despite being widely known, avoids detection, since the work of intruders in this case is disguised as a legitimate application.
Compromise Indicators (IoCs)
Samples
Table 1: dropper
Table 2: Libraries
Network
IP addresses
46.183.220.81
46.183.220.82
46.183.222.82
46.183.222.83
46.183.222.84
46.183.223.106
46.183.223.107
74.121.190.130
74.121.190.150
79.143.87.230Source: https://habr.com/ru/post/421779/
All Articles