Telsy published a blog post analyzing what they believe to be OceanLotus attacks targeting the Association of Southeast Asian Nations (ASEAN) events and members. The initial infection vector is a document containing malicious macros using multiple layers of obfuscation. Upon execution, the macro copies the document to the %TEMP% folder, decrypts a second stage module, and modifies the registry key that puts all macros in a trusted zone.

With these new macro permissions, a second macro is written into the copied document that is used to obtain contents of the document used to replace the current macro with a third-stage macro. This third macro is the final macro written to the document and is used to perform code injection. The code, which is injected into the winword.exe process, re-assembles and executes an embedded PE file.

This PE file is a backdoor that establishes a C2 connection using HTTP POST requests, with backup support for SOCKS communications. Based on the targets of this attack and artifacts found throughout the code, the researchers state that they are attributing this activity to the OceanLotus threat group with a high degree of confidence.

OceanLotus is a very active threat. Recently, many cyber operations and breaches have been attributed to this elite hacker group. This extensive activity could be the consequence of the multiple interests to which the group focuses its attention.

Indicators of Compromise

SHA256

• 55f8d95fc330b1e9519dc572e4acf8e751387c090f7a640b8ec0257a006212bb
• a8a3109ebf8aa732d4079dd484d326a9941e63029e188a2e2605b9a8a84c3d93
• 61b8cf99d4c2c8a49827a5ee9d0e329cb2ba476f5c70e9eaf5fa0a144ed7bbb2

Domain

• copy.byronorenstein.com
• suricata.radeordaunt.com
• snort.lauradesnoyers.com
• clipboard.christienoll.xyz
• att.illagedrivestralia.xyz
• online.stienollmache.xyz

IP

• 185.158.113.114