December 9, 2023

The state-sponsored threat actor group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion.

A report claims that OceanLotus’s campaign is actively using web archive files (.MHT and .MHTML) for its attacks.

Advertisements

The attack begins with a RAR compression of a 35–65 MB web archive file laden with a malicious Word document. In order to bypass the protection of Microsoft Office, the attackers have set the ZoneID property in the file’s metadata to 2, portraying it as if it was downloaded from a legitimate source.

Opening the web archive file with the infected Word document asks the victim to Enable Content, which eventually opens the way to running malicious VBA macro code. Once after the payload is executed, the macro code carries out multiple tasks and deletes the original Word file, leading to the decoy document that triggers a fake error pop-up.

The dropped payload (64-bit DLL) executes every 10 minutes using a scheduled task imitating the WinRAR update check.

Advertisements

The backdoor is injected into the rundll32[.]exe running indefinitely inside system memory to avoid detection. The malware collects different information, such as network adapter, a list of system directories and files, username, computer name, and checks the list of running processes.

Once after gathering the data, the backdoor adds and encrypts everything inside a single package before being sent to the C2 server. The C2 server is hosted on a cloud hosting and web development collaboration service, known as Glitch.

The OceanLotus group is active again with new tactics and is successfully evading security solutions. It is even using legitimate cloud hosting services such as Glitch for C2 communications to stay undetected

Advertisements

Indicators of Compromise

  • 14e3c13e7455e571bd4bc010d174a6a0f7d416216b77c1e0d27f0f3be59e3bf2
  • 1eb5421cae14cc706efdb9e911608c2c4759ccc446f6e1a62ecf5ba20e5b3482
  • 54aac0840808311e3ab47f76f8ea4b5639bcaac49e3bb4e3c4c6fd6240c21590
  • 720a06e64e4fb85ff82dd2f225789a46b58303399b12b8390bbd3bdc4d5c5774
  • 8fd9915997ebd3b04ad170186aba94e88222e45c6e46168d19ba7f9df3625210
  • 9e3b04b2717ac796c71eea419b6d50531cb24a9e2a4bd63c6c6d9d044488828f
  • a571a35c182c209ab755a8e3ec483b155a2b686de0e3ffc382d569cdef80c227
  • ebadb19c6ab42eb54e57a4d31682f7918630312e9ba77cbebe4efcf046312695
  • ff987e40e87262801b7080624fdcb6d3392b4ad4fca2ef8412c37be7ba3ed63f
  • 15dc11e9ab8ef00fc8469c0bc0cd2127f9cd6a759514acbbb9395931a99f3207
  • 8745e69246e2f0f7281ed0b329b2eb7647efc354af2bf2b5338621f9c1306564
  • 9e0a30502393dbf30376289c7460129c7e46dfea1d77c06a124690f8b9e11cfc
  • b704ec4d0fdcbc0e370ccb1e3c48d1f55ee4a253f59bdd1529fa7d31302c9807
  • 1a7a5228aa8e598d0225caa15d2a7fca2523ff23c35ce53a5bf4f228ad079608
  • 6fa56ddaacf8a0bdb35766667b9ed348bcf4ebf0dc04249ee1de31bfd5d8a4f3
  • 0f537c15a62cf31907b87b46e5d205932af899f984c770592b77a6765bfeb15c
  • faf58097a6142a97022a4a26316bf22a22122a329acf99299b3ec52a98e48b95
  • 53e0f230a5d7cc615fbffaf423a5336112a3966c64d965a1cb883d17edd82e7d
  • baaff5982c5991593c560ceb536b19f4aab78b83ddbcdeaa98be8ffca56beee6
  • 2d765673b9bef7da6612e4c5d3d3ccb286d0e003d4efa5b77575e39eee9ac309
  • c00ede542256087df36c2418a177eaf54919d4ab3b0f57977f106ca3ba2bff86
  • dce58b999d3d93024ebabf95e9d8497a4218283a7e42c352b536ccb9b6a5fdb4
  • 048e8132e520cd31d0be512e8568ae2db30a6ea128fce83668485aa41313a2bd
  • ceda18081b48401a6ae57517e0b2a908100153908b83388285474cccd56b4372
  • f3ec9e5379b0419dad74e112c62ffe9ad19ee714aef7dee35dd694d4b0c6a758
  • 01a7531a667feed1df2bc18c7f7734a0f503e5c60ac27a3d9b05bf14e5cec492
  • 79defb37958694daabea46494163d7cbbb30c18d332f14cb495b7c9edbe42732

C2 Server

  • hxxps://confusion-cerulean-samba.glitch[.]me/0627f41878D
  • hxxps://confusion-cerulean-samba.glitch[.]me/192f188023
  • hxxps://confusion-cerulean-samba.glitch[.]me/2e06bb0ce9
  • hxxps://confusion-cerulean-samba.glitch[.]me/55da2c2031
  • hxxps://confusion-cerulean-samba.glitch[.]me/e1db93941c
  • hxxps://elemental-future-cheetah.glitch[.]me/559084b660P
  • hxxps://elemental-future-cheetah.glitch[.]me/afe92a2bd2P
  • hxxps://torpid-resisted-sugar.glitch[.]me/5db81501e9P
  • hxxps://torpid-resisted-sugar.glitch[.]me/fb3b5e76b4P

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d