OceanLotus hackers use web archive files to spread backdoors

OceanLotus hackers use web archive files to spread backdoors

the actor

OceanLotus’ group of state-sponsored hackers now uses web archive file formats (.MHT and .MHTML) to spread backdoors to compromised systems.

The goal is to avoid detection by antivirus solution tools that are likely to pick up commonly misused document formats and prevent the victim from opening them on Microsoft Office.

Also tracked as APT32 and SeaLotus, hackers have shown a tendency in the past to experiment with less common ways to spread malware.

A report from Netskope Threat Labs with Bleeping Computer indicates in advance that the OceanLotus campaign using web archive files is still active, despite the targeting range being narrow and despite the Command and Control (C2) server downtime.

From trusted RARs to Word macros

The attack chain begins with a RAR compression of a large 35-65MB web archive file containing a malicious Word document.

RAR file dropped as first step of attack
RAR file dropped as first step of attack
Source: Netskope

To bypass Microsoft Office protection, the actors set the ZoneID property in the file’s metadata to “2”, which makes it look as if it was downloaded from a trusted source.

Edit Zone ID to Bypass MS Office Protection
Set the ZoneID value to bypass MS Office protection
Source: Netskope

When a web archive file is opened with Microsoft Word, the infected document prompts the victim to “enable content,” which opens the way for malicious VBA macro instructions to be executed.

Decoded VBA code used in APT32 documents
Decoded VBA code used in APT32 documents
Source: Netskope

The script performs the following tasks on the infected machine:

  1. drop the payload to “C:ProgramDataMicrosoftUser Account Picturesguest.bmp”;
  2. copies the payload to “C:ProgramDataMicrosoft Outlook Syncguest.bmp”;
  3. Create and view a decoy document named “Document.doc”;
  4. Rename the payload from “guest.bmp” to “background.dll”;
  5. Executes the DLL by calling the export functions “SaveProfile” or “OpenProfile”

After the payload is executed, the VBA code deletes the original Word file and opens a decoy document serving the victim with a bogus bug.

Backdoor uses a glitch hosting service

The payload dropped into the system is a 64-bit DLL that is executed every 10 minutes thanks to a scheduled task that impersonates a WinRAR update check.

False operation bearing payload injection
False operation bearing payload injection
Source: Netskope

The rundll32.exe process running indefinitely is injected backdoor into system memory to avoid detection, Netskope notes in its technical report.

Injected payload and unloaded into memory
Injected payload and unloaded into memory
Source: Netskope

The malware collects network adapter information, computer name, user name, enumerates system directories and files, and checks the list of running processes.

Once this basic data is collected, the backdoor packages everything into one packet and encrypts the content before sending it to the C2 server.

This server is hosted on Glitch, a cloud hosting and web development collaboration that is frequently abused for malicious purposes.

Backdoor Connects With C2 Hosted Glitch
Backdoor Connects With C2 Hosted Glitch
Source: Netskope

By using a legitimate cloud hosting service for C2 connections, operators reduce the chances of detection even when network traffic monitoring tools are deployed.

Although Glitch has removed the C2 URLs identified and reported by Netskope researchers, this is unlikely to prevent APT32 from creating new addresses using different accounts.

For the full list of hack indicators from this campaign, you can check out this GitHub repository.

Leave a Comment

Your email address will not be published.