OceanLotus hackers turn to web archive files to deploy backdoors

OceanLotus hackers turn to web archive files to deploy backdoors

The OceanLotus group of state-sponsored hackers now use the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.

The goal is to evade detection by anti-virus solution tools which are more likely to catch commonly abused document formats and prevent the victim from opening them in Microsoft Office.

Also tracked as APT32 and SeaLotus, hackers have tended in the past to try less common methods of deploying malware.

A report from Netskope Threat Labs shared with Bleeping Computer notes in advance that OceanLotus’ campaign using web archive files is still active, although the targeting scope is narrow and despite the disruption of the command server and server. control (C2).

From reliable RARs to Word macros

The attack chain begins with a RAR compression of a large 35-65MB web archive file containing a malicious Word document.

RAR file abandoned as first step of attack
RAR file abandoned as first step of attack
Source: Netskope

To bypass Microsoft Office protection, actors set the ZoneID property in the file’s metadata to “2”, making it appear as if it had been downloaded from a trusted source.

Changing ZoneID to bypass MS Office protection
Setting ZoneID value to bypass MS Office protection
Source: Netskope

While opening the web archive file with Microsoft Word, the infected document prompts the victim to “Activate Content” which leads to the execution of malicious VBA macro code.

Decoded VBA code used in APT32 documents
Decoded VBA code used in APT32 documents
Source: Netskope

The script performs the following tasks on the infected machine:

  1. Drop the payload into “C: ProgramData Microsoft User Account Pictures guest.bmp”;
  2. Copy the payload to “C: ProgramData Microsoft Outlook Sync guest.bmp”;
  3. Creates and displays a decoy document named “Document.doc”;
  4. Rename the payload from “guest.bmp” to “background.dll”;
  5. Runs the DLL by calling the export functions “SaveProfile” or “OpenProfile”

After the payload is executed, the VBA code deletes the original Word file and opens the decoy document which serves to victimize a fake error.

Backdoor uses the Glitch hosting service

The payload deposited in the system is a 64-bit DLL that runs every 10 minutes through a scheduled task masquerading as a WinRAR update check.

False process carrying payload injection
False process carrying payload injection
Source: Netskope

The backdoor is injected into the rundll32.exe process running indefinitely in system memory to escape detection, notes Netskope in his technical report.

Payload injected and decompressed in memory
Payload injected and decompressed in memory
Source: Netskope

The malware collects information about network card, computer name, user name, enumerates system directories and files, checks list of running processes.

Once this basic data is gathered, the backdoor compiles everything into a single packet and encrypts the contents before sending it to the C2 server.

This server is hosted on Glitch, a cloud hosting and collaboration web development service that is frequently used for malicious purposes.

Backdoor communicating with a C2 hosted by Glitch
Backdoor communicating with a C2 hosted by Glitch
Source: Netskope

By using a legitimate cloud hosting service for C2 communication, actors further reduce the chances of being detected even when network traffic monitoring tools are deployed.

Although Glitch removed the C2 URLs identified and reported by Netskope researchers, this is unlikely to prevent APT32 from creating new ones using different accounts.

For the complete list of indicators of compromise for this campaign, you can consult this GitHub repository.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Trending this Week