Check Point researchers take a deep dive into OceanLotus
Researchers have bypassed the obfuscation techniques used by a hacking group targeting Southeast Asian businesses to release new details on how the threat actors operate.
The group has been targeting organizations across the region since 2012, earning itself the nickname OceanLotus, or APT32.
It utilizes multiple methods to infect devices with persistent malware that can hide dormant in a device without the user being aware.
One process is through targeted spear-phishing attacks. Mass emails are sent to target organizations, with attachments or links containing malicious files that trigger an infection chain, installing an OceanLotus backdoor.
Watering hole attacks – compromising legitimate websites that have a high chance of being visited by potential targets and serving a phishing page – have also heavily featured in the seven years since the group was first seen.
APT32 is widely known to use such social engineering techniques to trick a user into enabling macros, after which a file downloads multiple malicious payloads from remote servers.
While private sector companies have been the primary targets so far, governments, organizations, activists, and journalists have also reported attacks.
Vietnam, Laos, and the Philippines are three countries that Check Point security researcher Itay Cohen earmarked as being the main targets of OceanLotus. Businesses in Singapore have also fallen victim to OceanLotus attacks.
Cohen performed a deep dive on the group’s techniques, noting that its varied toolset – a mixture of handcrafted, commercial, and open source tools – are highly obfuscated.
This makes them harder to reverse-engineer, but, as Cohen noted: “This kind of technique is a matter of writing a simple script, as long as you know what you are doing.”
The researcher discovered how to bypass one of the obfuscation techniques using Cutter, a cross-platform graphical user interface used in open source reverse-engineering framework radare2.
He detailed his findings in a deep technical analysis last month.
Waiting in the shadows
Michael Abramzon, malware analyst at Check Point, told The Daily Swig that APT32 relies on weaknesses within an organization’s security defenses and a lack of awareness by employees.
It then lies in wait, silently monitoring the networks.
He said: “Such threat groups would continuously stress the defenses of a target network, until a technical or a human error can be exploited, that enables it to gain access.
“Once the hackers gain access to the network, they could either cripple the network, steal IP addresses, or monitor it silently for long periods of time.”
The motives of APT32 is currently unclear. The group has so far sought no huge financial gain from its exploits, according to Check Point, despite its extensive history of reported attacks.
Abramzon said: “Unlike some other APT groups which have clear financial motives, where the damage from the attack can be more easily valuated, OceanLotus’ emphasis on surveillance and espionage campaigns makes it very hard to assess the direct or indirect damage caused to its victims, especially when government organizations are being targeted.”
Of these known attacks, notable examples include network scanning for OS fingerprinting.
Check Point advises those in the Southeast Asia region, and indeed worldwide, to protect their devices by deploying suitable security measures.
This includes training staff not to click on any suspicious links or attachments, and deploying endpoint security – protecting company networks that are accessed by remote devices.
Abramzon also recommended that due to the nature of the malware deployed by OceanLotus, any infected device should be investigated by trained security professionals.
He said: “As OceanLotus employs custom malware that evolved over time and changes its behavior, there is no predetermined step-by-step solution to remove such a threat from a device, and the specific case should be assessed by professional incident response team, in order to remove all possible footholds the attackers might have gained inside the infected network.”