OceanLotus in 2017: An update on their activity and toolset

Romain Dumont , Malware researcher , ESET

OceanLotus (aka APT32 and APT-C-00) is an allegedly Vietnamese threat group that has been known for a few years. OceanLotus’main targets are both located in Vietnam itself and in surrounding countries such as Laos, China and Cambodia.

Their preferred targets are governments, journalists and private sector industries.

Our team of researchers have tracked OceanLotus activities in 2017.Interestingly, we have seen a campaign targeting Canada and the U.S. We have studied their tactics and analyzed some of their custom backdoors.

OceanLotus uses both off-the-shelf tools such as Metasploit and Cobalt Strike, and have developed their own remote access tool malware, distributed to victims of interest. They keep updating their set of tools and sometimes make use of publicly known vulnerabilities. To make analysis and detection more difficult they use control flow obfuscation, side-loading, encrypted binary network protocols, in-memory execution of fileless payloads.

Email attachments seems to be OceanLotus’favourite method to get a foot in the door of their targets. The usual methods are nothing particularly sophisticated: double extensions, Office document macros and .LNK file. Their infection vector tend to rely on social engineering. The naming of their decoy documents is usually after some current news or political events.

Interestingly, OceanLotus is also equipped with a Mac version of their malware. They used a unique method to disguise their executable file as a document, something we haven’t seen on macOS yet. Although the Mac malware doesn’t seem to share code with its Windows counterpart, some of the techniques are similar and they share C&C infrastructure.

A lot of good documentation about OceanLotus as been published by Qihoo 360, CyberReason and FireEye. This presentation will focus mainly on the reverse engineering of their malware. We will also release tools on GitHub to help the analysis of OceanLotus samples.

Romain Dumont

Romain Dumont was hired by ESET in January as a malware researcher. He does not have a focus on a specific malware family but he likes to experiment all kinds of malware.
He previously worked as a security consultant at Thales where he performed penetration tests.