fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

OceanLotus Hackers Turn to Web Archive Files to Deploy Backdoors

OceanLotus Hackers Turn to Web Archive Files to Deploy Backdoors

The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.

The goal is to evade detection by antivirus solutions  tools which are more likely to catch commonly abused document formats and stop the victim from opening them on Microsoft Office.

Also tracked as APT32 and SeaLotus, the hackers have shown a tendency in the past to try out less common methods for deploying malware.

A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus’ campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control (C2) server being disrupted.

Also Read: 4 easy guides to data breach assessment

From trusty RARs to Word macros

The attack chain starts with a RAR compression of a 35-65MB large web archive file containing a malicious Word document.

RAR file dropped as the first step of the attack
RAR file dropped as the first step of the attack
Source: Netskope

To bypass Microsoft Office protection, the actors have set the ZoneID property in the file’s metadata to “2”, making it appear as if it was downloaded from a trustworthy source.

Editing ZoneID to bypass MS Office protection
Setting ZoneID value to bypass MS Office protection
Source: Netskope

When opening the web archive file with Microsoft Word, the infected document prompts the victim to “Enable Content”, which opens the way to executing malicious VBA macro code.

Also Read: 7 Client Data Protection Tips to Keep Customers Safe

Decoded VBA code used in APT32 docs
Decoded VBA code used in APT32 docs
Source: Netskope

The script performs the following tasks on the infected machine:

  1. Drops the payload to “C:\ProgramData\Microsoft\User Account Pictures\guest.bmp”;
  2. Copies the payload to “C:\ProgramData\Microsoft Outlook Sync\guest.bmp”;
  3. Creates and display a decoy document named “Document.doc”;
  4. Rename the payload from “guest.bmp” to “background.dll”;
  5. Executes the DLL by calling either “SaveProfile” or “OpenProfile” export functions

After the payload is executed, the VBA code deletes the original Word file and opens the decoy document which serves the victim a bogus error.

Backdoor uses Glitch hosting service

The payload dropped in the system is a 64-bit DLL that executes every 10 minutes thanks to a scheduled task impersonating a WinRAR update check.

Fake process carrying the payload injection
Fake process carrying the payload injection
Source: Netskope

The backdoor is injected into the rundll32.exe process running indefinitely in the system memory to evade detection, Netskope notes in its technical report.

Payload injected and unpacked into memory
Payload injected and unpacked into memory
Source: Netskope

The malware collects network adapter information, computer name, username, enumerates system directories and files, checks the list of running processes.

Once that basic data is gathered, the backdoor compiles everything into a single packages and encrypts the content before it’s sent to the C2 server.

This server is hosted on Glitch, a cloud hosting and web development collaboration service that is frequently abused for malicious purposes.

Backdoor communicating with a Glitch-hosted C2
Backdoor communicating with a Glitch-hosted C2
Source: Netskope

By using a legitimate cloud hosting service for C2 communication, the actors further reduce the chances of being detected even when network traffic monitoring tools are deployed.

Although Glitch took down the C2 URLs identified and reported by Netskope researchers, it’s unlikely that this will stop APT32 from creating new ones using different accounts.

For the complete list of the indicators of compromise from this campaign, you may check this GitHub repository.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us