The OceanLotus group of state-sponsored hackers now use the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.
The goal is to evade detection by anti-virus solution tools which are more likely to catch commonly abused document formats and prevent the victim from opening them in Microsoft Office.
Also tracked as APT32 and SeaLotus, hackers have tended in the past to try less common methods of deploying malware.
A report from Netskope Threat Labs shared with Bleeping Computer notes in advance that OceanLotus’ campaign using web archive files is still active, although the targeting scope is narrow and despite the disruption of the command server and server. control (C2).
From reliable RARs to Word macros
The attack chain begins with a RAR compression of a large 35-65MB web archive file containing a malicious Word document.
To bypass Microsoft Office protection, actors set the ZoneID property in the file’s metadata to “2”, making it appear as if it had been downloaded from a trusted source.
While opening the web archive file with Microsoft Word, the infected document prompts the victim to “Activate Content” which leads to the execution of malicious VBA macro code.
The script performs the following tasks on the infected machine:
- Drop the payload into “C: ProgramData Microsoft User Account Pictures guest.bmp”;
- Copy the payload to “C: ProgramData Microsoft Outlook Sync guest.bmp”;
- Creates and displays a decoy document named “Document.doc”;
- Rename the payload from “guest.bmp” to “background.dll”;
- Runs the DLL by calling the export functions “SaveProfile” or “OpenProfile”
After the payload is executed, the VBA code deletes the original Word file and opens the decoy document which serves to victimize a fake error.
Backdoor uses the Glitch hosting service
The payload deposited in the system is a 64-bit DLL that runs every 10 minutes through a scheduled task masquerading as a WinRAR update check.
The backdoor is injected into the rundll32.exe process running indefinitely in system memory to escape detection, notes Netskope in his technical report.
The malware collects information about network card, computer name, user name, enumerates system directories and files, checks list of running processes.
Once this basic data is gathered, the backdoor compiles everything into a single packet and encrypts the contents before sending it to the C2 server.
This server is hosted on Glitch, a cloud hosting and collaboration web development service that is frequently used for malicious purposes.
By using a legitimate cloud hosting service for C2 communication, actors further reduce the chances of being detected even when network traffic monitoring tools are deployed.
Although Glitch removed the C2 URLs identified and reported by Netskope researchers, this is unlikely to prevent APT32 from creating new ones using different accounts.
For the complete list of indicators of compromise for this campaign, you can consult this GitHub repository.