Fake or Fake: Keeping Up With OceanLotus Decoys


Fake or Fake: Keeping Up With OceanLotus Decoys (Mar 20, 2019)

ESET researchers have observed the Advanced Persistent Threat (APT) group "OceanLotus," also known as APT32, to have begun incorporating self-extracting archives to run their malicious code. The group was also found to be utilizing a memory corruption vulnerability in Microsoft Office, registered as "CVE-2017-11882," in their phishing campaigns. Proof-of-concept code for CVE-2017-11882 is publicly available so even less-sophisticated groups have a higher likelihood to attempt to utilize the exploit. The objective of the group's phishing campaign, first observed in January 2019, is to deliver malicious documents, or documents that contain malicious macros, that utilizes the Office vulnerability. Other email attachments were found to install an information-stealing backdoor on the recipients machine.

Recommendation: Publicly available proof-of-concept code for exploits increases the likelihood that threat actors of all levels of sophistication will attempt to utilize it for malicious purposes. All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file-hosting service.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.