Home Malware Faux or Faux: Maintaining with OceanLotus decoys

Faux or Faux: Maintaining with OceanLotus decoys

by ethhack

ESET researchers element the most recent methods and strategies OceanLotus makes use of to ship its backdoor whereas staying below the radar

This text will first describe how the OceanLotus group (also called APT32 and APT-C-00) just lately used one of many publicly accessible exploits for CVE-2017-11882, a reminiscence corruption vulnerability current in Microsoft Workplace software program, and the way OceanLotus malware achieves persistence on compromised programs with out leaving any traces. Then the article describes how, because the starting of 2019, the group has been leveraging self-extracting archives to run code.


Following OceanLotus’ actions is taking a tour on the planet of deception. This group is thought to lure victims by forging interesting paperwork to entice potential victims into executing the group’s backdoor, and retains arising with new concepts to diversify its toolset. The strategies employed for the decoys vary from recordsdata with so-called double extensions, self-extracting archives and macro-enabled paperwork, to reusing identified exploits. On high of that, they’re very energetic and relentlessly proceed to raid their favorite victims, South East Asian international locations.

Summing up the Equation Editor exploit

In mid-2018, OceanLotus carried out a marketing campaign utilizing paperwork abusing the weak point uncovered by the CVE-2017-11882 vulnerability. Certainly, a number of Proofs-of-Idea had been made accessible. The vulnerability resides within the part liable for rendering and modifying mathematical equations. One of many malicious paperwork utilized by OceanLotus was analysed by 360 Threat Intelligence Center (in Chinese) and consists of particulars concerning the exploit. Let’s check out the same doc.

First stage

This doc FW Report on demonstration of former CNRP in Republic of Korea.doc (SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3) is just like the one talked about within the article above, and in addition attention-grabbing because it actually targets folks involved in Cambodian politics (the CNRP – Cambodia Nationwide Rescue Get together – political celebration was dissolved in late 2017). Regardless of its .doc extension, the doc is definitely in RTF format (see Determine 1), accommodates many rubbish teams, and can be malformed.

Determine 1 — RTF rubbish fields

Regardless of the presence of malformed components, Phrase efficiently opens this RTF file. As seen in (Determine 2), at offset 0xC00 there may be an EQNOLEFILEHDR construction, adopted by the MTEF header after which an MTEF report (Determine 3) for a font.

Determine 2 — FONT report values


Determine 3 — FONT record format

An overflow within the title area is feasible as a result of its dimension isn’t checked earlier than being copied. A reputation that’s too lengthy triggers the vulnerability. As seen within the RTF file content material (offset 0xC26 in Determine 2), the buffer is crammed with shellcode adopted by a NOP (0x90) sled and the return tackle 0x402114. That tackle is a gadget in EQNEDT32.exe pointing to a RET instruction. This ends in EIP pointing firstly of the title area which accommodates the shellcode.

Determine 4 — Begin of the exploit shellcode

The tackle 0x45BD3C shops a variable that’s dereferenced till it reaches a pointer to the at the moment loaded MTEFData construction. That’s the place the remainder of the shellcode resides.

The aim of the shellcode is to execute a second piece of shellcode, embedded contained in the open doc. First, the preliminary shellcode tries to search out the deal with of the open doc file by iterating by means of all of the system’s handles (NtQuerySystemInformation with the SystemExtendedHandleInformation argument) and checking if the deal with’s PID matches the PID of a WinWord course of and if the doc was opened with the next entry masks: 0x12019F. To substantiate it discovered the suitable deal with and never the deal with of one other open doc, the content material of the file is mapped with the CreateFileMapping perform and the shellcode checks if the final 4 bytes of the doc are “yyyy“; this system known as “Egg Looking”. As soon as it finds a match, the doc is copied to a short lived folder (GetTempPath) as ole.dll. Then the final 12 bytes of the doc are learn.

Determine 5 — Markers on the finish of the doc

The 32-bit worth between the AABBCCDD and yyyy markers is the offset to the following shellcode. It’s invoked utilizing the CreateThread perform. The extracted shellcode is similar that the OceanLotus group has been utilizing for some time now. The Python emulator script we launched in March 2018 nonetheless works to dump the following stage.

Second stage

Extracting the elements

The filenames and directories are chosen dynamically. The code randomly selects the filename of an executable or DLL file situated in C:Windowssystem32. It can then question its assets and extract the FileDescription area to make use of as a folder title. If this doesn’t work, the code randomly chooses a folder title from the %ProgramFiles% or C:Home windows (from GetWindowsDirectoryW) directories. It avoids utilizing a reputation that will conflict with current recordsdata by ensuring it doesn’t comprise: home windows, Microsoft, desktop, system, system32 or syswow64. If the listing already exists, the listing title is appended with “NLS_{6 digits}”.

The stage’s 0x102 useful resource is parsed and the recordsdata are dropped in both %ProgramFiles% or %AppData% within the randomly chosen folder. The creation instances are modified to have the identical values as kernel32.dll.

For instance, here’s a folder and an inventory of recordsdata created by selecting the C:Windowssystem32TCPSVCS.exe executable as a supply of knowledge.

Determine 6 — Extraction of the totally different elements

The construction of the useful resource 0x102 within the dropper is kind of complicated. In a nutshell, it accommodates:

  • filenames
  • recordsdata’ dimension and content material
  • compression format (COMPRESSION_FORMAT_LZNT1 utilized by RtlDecompressBuffer perform)

The primary file is dropped as TCPSVCS.exe which is in reality Adobe’s authentic AcroTranscoder.exe (in response to its FileDescription, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3).

You’ll have observed that the file dimension of some DLLs exceeds 11MB. It’s because a big contiguous buffer of random knowledge is positioned contained in the executable. It’s presumably a approach to evade detection by some safety merchandise.

Reaching persistence

The useful resource 0x101 of the dropper accommodates two 32-bit integers that dictate how the persistence ought to be applied. The worth of the primary one specifies how the malware will obtain persistence with out administrator privileges.

First integer worth Persistence mechanism
0 Don’t obtain persistence
1 Scheduled activity as present consumer
2 (HKLM|HKCU)SOFTWAREMicrosoftWindowsCurrentVersionRun
3 Creation of a shortcut file (with a .lnk extension) within the subdirectory MicrosoftWindowsStart MenuProgramsStartup below one of many atmosphere variables: %ALLUSERSPROFILE%, %APPDATA% or %USERPROFILE%

The worth of the second integer specifies how the malware ought to attempt to obtain persistence if it runs with elevated privileges.

Second integer worth Persistence mechanism
1 Scheduled activity as administrator
2 Creation of a service

The service title is the filename with out extension; the show title is the folder title but when it already exists then the string “Revision 1” is appended (the quantity is incremented till it finds an unused title). The operators made certain the persistence by means of the service could be resilient: on service failure, the service ought to restart after 1 second. Then, the registry worth WOW64 of the brand new service key’s set to Four which signifies that it’s a 32-bit service.

The scheduled activity is created through a number of COM interfaces: ITaskScheduler, ITask, ITaskTrigger, IPersistFile and ITaskScheduler. Basically, the malware creates a hidden activity, units the account data with the present consumer or the administrator data and units the set off.
This can be a each day activity with a length of 24 hours and the interval between two executions is about to 10 minutes, which implies it is going to run on a regular basis.

The malicious bit

In our instance, the executable TCPSVCS.exe (AcroTranscoder.exe) is authentic software program side-loading the DLLs that had been dropped with it. On this case, the Flash Video Extension.dll is the attention-grabbing one.

Its DLLMain perform simply calls a single perform. Some opaque predicates are current:

Determine 7 — Opaque predicates

After these misleading checks, the code will get the .textual content part of TCPSVCS.exe, adjustments its safety to PAGE_EXECUTE_READWRITE and overwrites it with do-nothing directions that don’t have any negative effects:

Determine 8 — Sequence of directions with out negative effects

On the finish, a CALL instruction to the tackle of the perform FLVCore::Uninitialize(void) exported by Flash Video Extension.dll is appended. Which means that, after loading the malicious DLL, when the runtime calls WinMain in TCPSVCS.exe, the instruction pointer will level to the NOP sled, which is able to finally name FLVCore::Uninitialize(void), the following stage.

This perform merely creates a mutex beginning with{181C8480-A975-411C-AB0A-630DB8B0A221}and adopted by the present username. Then, it reads the dropped file with the  .db3  extension, which accommodates position-independent code, and makes use of CreateThread to execute its content material.

The content material of the .db3 file is shellcode generally utilized by OceanLotus. Once more, we efficiently unpacked its payload utilizing the emulator script we revealed on GitHub.

The script extracts the ultimate stage. This part is the backdoor that we already analysed on this white paper: OceanLotus: Old techniques, new backdoor. It’s recognizable as such from the GUID {A96B020F-0000-466F-A96D-A91BBF8EAC96} that’s current within the binary. The configuration of the malware remains to be encrypted in a PE useful resource. It accommodates nearly the identical configuration however the C&C servers are totally different from those that had been already revealed:

  • andreagahuvrauvin[.]com
  • byronorenstein[.]com
  • stienollmache[.]xyz

As soon as once more OceanLotus showcases a big mixture of strategies to remain below the radar. They got here again with a “higher” model of the an infection course of. By selecting random names and filling executables with random knowledge, they scale back the variety of dependable IoCs (hash-based and filename-based). Furthermore, since they’re utilizing DLL side-loading, the attackers solely should drop the authentic AcroTranscoder binary as-is.

Self-Extracting archives

After utilizing RTF recordsdata, the group began utilizing self-extracting (SFX) archives that use frequent doc icons in an try to additional mislead their victims. It was briefly documented by Threatbook (in Chinese). When run, these self-extracting RAR recordsdata drop and execute DLL recordsdata (with a .ocx extension) with the ultimate payload being the beforehand documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. For the reason that center of January 2019, OceanLotus started reusing the method however modified some configuration over time. This part will describe the method and what they’ve altered to attain their purpose.

Falling for the decoy

The doc THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE (that means “FAVORITE RELATIONSHIP OF VIETNAMESE PERFORMANCE” in response to Google Translate, SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB) was first seen in 2018. This SFX file is cleverly crafted, as the outline (Model Data) states it’s a “JPEG Picture”. The script of the SFX is the next:

Determine 9 — SFX instructions

The malware drops {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC) in addition to the picture 2018 thich thong lac.jpg.

The decoy picture is the next:

Determine 10 — Decoy picture

You’ll have observed the primary two traces within the SFX script invoke the OCX file twice, however it’s not a mistake…

{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)

The OCX file’s management move is similar to different OceanLotus elements: there are loads of JZ/JNZ and PUSH/RET instruction sequences interleaved with junk code.

Determine 11 — Obfuscated code

After filtering the junk code, the export DllRegisterServer referred to as by regsvr32.exe seems to be like this:

Determine 12 — Important code of the installer

Mainly, the primary time the DllRegisterServer known as, it units the registry worth HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Mannequin to an encoded offset within the DLL (0x10001DE0).
The second time the perform known as, it reads this exact same worth and executes the perform at that tackle. From there, the useful resource is learn and executed and plenty of in-memory operations are executed.

The shellcode is similar PE loader used within the earlier OceanLotus campaigns. It may be emulated with our miasm emulation script. Finally, it drops db293b825dcc419ba7dc2c49fa2757ee.dll, hundreds it into reminiscence and executes DllEntry.

The DLL retrieves the content material of its useful resource, decrypts (AES-256-CBC) and decompresses it (LZMA). The useful resource has a particular format that’s fairly simple to reverse engineer.

Determine 13 — Construction of the installer configuration (KaitaiStruct Visualizer)

The configuration is specific: relying on the privilege stage, the binary knowledge can be written to both %appdatapercentIntellogsBackgroundUploadTask.cpl or %windirpercentSystem32BackgroundUploadTask.cpl (or SysWOW64 for 64-bit programs).
Subsequent, persistence is achieved by making a activity named BackgroundUploadTask[junk].job the place a [junk]is a group of 0x9D and 0xA0 bytes.
The applying title of the duty is %windirpercentSystem32management.exe and the parameter worth is the trail of the dumped binary. The hidden activity is about to run every single day.

Structurally, the CPL file is a DLL whose inside title is ac8e06de0a6c4483af9837d96504127e.dll and that exports a CPlApplet perform. This file decrypts its solely useful resource {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll, then hundreds that DLL and calls its solely export, DllEntry.

Backdoor configuration file

The backdoor has an encrypted configuration embedded in its assets. The construction of the configuration file is kind of just like the earlier one.

Determine 14 — Construction of the backdoor configuration (KaitaiStruct Visualizer)

Regardless of the structural similarity, of the values in lots of of those fields have been up to date evaluating this to that in our white paper from March 2018.
The primary ingredient of the binaries array accommodates a DLL (HttpProv.dll MD5: 2559738D1BD4A999126F900C7357B759) identified by Tencent however because the export title has been faraway from the binary, the hashes don’t match.

Going the additional mile

Whereas trying to find samples, just a few traits stood out. The pattern simply analysed appeared round July 2018 and different related had been discovered very just lately in mid-January by means of early-February 2019. The an infection vector used was an SFX archive dumping a authentic, decoy doc and a malicious OCX file.

Regardless that OceanLotus makes use of pretend timestamps, it has been noticed that the timestamp of the SFX and OCX recordsdata are at all times the identical (0x57B0C36A (08/14/2016 @ 7:15pm UTC) and 0x498BE80F (02/06/2009 @ 7:34am UTC) respectively). This in all probability signifies that they’ve some sort of “builder” that reuses the identical templates and simply adjustments some traits.

Among the many paperwork we analysed since early-2018, we noticed totally different doc names suggesting country-related focusing on:

  • The New Contact Data Of Cambodia Media(New).xls.exe
  • 李建香 (个人简历).exe (pretend pdf doc of a CV)
  • suggestions, Rally in USA from July 28-29, 2018.exe

For the reason that discovery of the {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll backdoor and its public evaluation by a number of researchers, we noticed some adjustments within the malware’s configuration knowledge.
First, the authors began eradicating the names from the helper DLLs (DNSprov.dll and the 2 variations of HttpProv.dll).
Then the operators stopped packaging the third DLL (second model of HttpProv.dll), selecting to embed only one.

Second, loads of the backdoor configuration fields have been modified, maybe to keep away from detection, since many IoCs turned accessible.
The necessary fields that modified are the next:

  • the “AppX” registry key modified (see IoCs)
  • the mutex encoding string (“def”, “abc”, “ghi”)
  • the port quantity

Lastly, all the brand new variants analysed have new C&C servers, that are listed within the IoCs part.


OceanLotus could be very energetic and retains evolving. The group actually focuses on various their toolsets and decoys. They cleverly wrap their payloads with engaging paperwork primarily based on present occasions which might be prone to be of curiosity to their meant victims. They preserve arising with totally different strategies and even reuse and readapt publicly accessible exploit code reminiscent of for the Equation Editor exploit. Furthermore, they preserve bettering their strategies to scale back the variety of artefacts left on their victims’ machines, thereby decreasing the chances of detection by safety merchandise. As we’ve proven, loads of in-memory operations are concerned, filenames are randomly generated and the OceanLotus operators have modified their binaries to keep away from being detected. One other very attention-grabbing level is that some domains appear to be derived from a dictionary. OceanLotus is making the additional effort to proceed finishing up their campaigns, however don’t maintain your breath…

Indicators of Compromise (IoCs)

The IoCs on this blogpost, in addition to the MITRE ATT&CK attributes, are additionally accessible from our GitHub repository.

Registry keys/values:

  • HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Mannequin
    • AppXbf13d4ea2945444d8b13e2121cb6b663
    • AppX70162486c7554f7f80f481985d67586d
    • AppX37cc7fdccd644b4f85f4b22d5a3f105a


  • {181C8480-A975-411C-AB0A-630DB8B0A221}_ (+ username)


Paperwork exploiting CVE-2017-11882:
SHA-1 hashes
ESET detection names
SFX archives and OCX droppers:
SHA-1 hashes
ESET detection names

MITRE ATT&CK strategies

Tactic ID Identify Description
Preliminary Entry T1193 Spearphishing Attachment Deceitful RTF paperwork and self-extracting archives are despatched to potential victims.
Execution T1204 Consumer Execution The consumer must execute the self-extracting archive or open the RTF doc.
T1117 Regsvr32 The self-extracting archives execute regsvr32 to run the OceanLotus’ backdoor.
T1035 Service Execution The second stage of the exploit tries to run OceanLotus’ backdoor as a service.
Persistence T1050 New Service The second stage of the exploit tries to attain persistence by making a service.
T1060 Registry Run Keys / Begin Folder The second stage of the exploit tries to attain persistence by including a worth within the Run registry key.
T1053 Scheduled Activity The second stage of the exploit tries to attain persistence by making a schedule activity.
Protection Evasion T1009 Binary Padding The second stage of the exploit fills dropped executables with random knowledge.
T1073 DLL Facet-Loading OceanLotus’ backdoor is side-loaded by dropping a library and a authentic, signed executable (AcroTranscoder).
T1112 Modify Registry OceanLotus’ backdoor shops its configuration in a registry key.
T1027 Obfuscated Recordsdata or Data The second stage of the exploit drops an encrypted shellcode.
T1099 Timestomp The creation time of the recordsdata dropped by the second stage of the exploit is about to match the creation time of kernel32.dll.
Discovery T1083 File and Listing Discovery OceanLotus’ backdoor can record recordsdata and directories.
T1012 Question Registry OceanLotus’ backdoor can question the Home windows Registry to collect system data.
T1082 System Data Discovery OceanLotus’ backdoor captures system data and sends it to its C&C server.
Exfiltration T1002 Information Compressed OceanLotus’ backdoor makes use of LZMA compression earlier than exfiltration.
T1022 Information Encrypted OceanLotus’ backdoor makes use of RC4 encryption earlier than exfiltration.
T1041 Exfiltration Over Command and Management Channel Information exfiltration is finished utilizing the already opened channel with the C&C server
T1203 Exploitation for Shopper Execution The RTF doc consists of an exploit to execute malicious code. (CVE‑2017‑11882)
Command And Management T1094 Customized Command and Management Protocol OceanLotus’ backdoor can exfiltrate knowledge by encoding it within the subdomain area of DNS packets.
T1065 Uncommonly Used Port OceanLotus’ backdoor use HTTP over an unusual TCP port (14146). Port is specified within the backdoor configuration.

Source link

Related Articles

Leave a Comment