OceanLotus’ group of state-sponsored hackers now uses web archive file formats (.MHT and .MHTML) to spread backdoors to compromised systems.
The goal is to avoid detection by antivirus solution tools that are likely to pick up commonly misused document formats and prevent the victim from opening them on Microsoft Office.
Also tracked as APT32 and SeaLotus, hackers have shown a tendency in the past to experiment with less common ways to spread malware.
A report from Netskope Threat Labs with Bleeping Computer indicates in advance that the OceanLotus campaign using web archive files is still active, despite the targeting range being narrow and despite the Command and Control (C2) server downtime.
From trusted RARs to Word macros
The attack chain begins with a RAR compression of a large 35-65MB web archive file containing a malicious Word document.
To bypass Microsoft Office protection, the actors set the ZoneID property in the file’s metadata to “2”, which makes it look as if it was downloaded from a trusted source.
When a web archive file is opened with Microsoft Word, the infected document prompts the victim to “enable content,” which opens the way for malicious VBA macro instructions to be executed.
The script performs the following tasks on the infected machine:
- drop the payload to “C:ProgramDataMicrosoftUser Account Picturesguest.bmp”;
- copies the payload to “C:ProgramDataMicrosoft Outlook Syncguest.bmp”;
- Create and view a decoy document named “Document.doc”;
- Rename the payload from “guest.bmp” to “background.dll”;
- Executes the DLL by calling the export functions “SaveProfile” or “OpenProfile”
After the payload is executed, the VBA code deletes the original Word file and opens a decoy document serving the victim with a bogus bug.
Backdoor uses a glitch hosting service
The payload dropped into the system is a 64-bit DLL that is executed every 10 minutes thanks to a scheduled task that impersonates a WinRAR update check.
The rundll32.exe process running indefinitely is injected backdoor into system memory to avoid detection, Netskope notes in its technical report.
The malware collects network adapter information, computer name, user name, enumerates system directories and files, and checks the list of running processes.
Once this basic data is collected, the backdoor packages everything into one packet and encrypts the content before sending it to the C2 server.
This server is hosted on Glitch, a cloud hosting and web development collaboration that is frequently abused for malicious purposes.
By using a legitimate cloud hosting service for C2 connections, operators reduce the chances of detection even when network traffic monitoring tools are deployed.
Although Glitch has removed the C2 URLs identified and reported by Netskope researchers, this is unlikely to prevent APT32 from creating new addresses using different accounts.
For the full list of hack indicators from this campaign, you can check out this GitHub repository.