OceanLotus ships new backdoor using old tricks

OceanLotus ships new backdoor using old tricks (Mar 13, 2018)

ESET researchers have discovered a new backdoor being used by the Advanced Persistent Threat (APT) group called "OceanLotus." OceanLotus is a Chinese APT that targets corporate and government targets, particularly in Southeast Asia. The researchers believe that the dropper for this new backdoor was delivered via a "watering hole" attack. The dropper drops the backdoor in a number of steps designed to hide the true backdoor. These steps include a decoy updater, obfuscation, and junk code. The backdoor, once decrypted, fingerprints the system and sends data to its command and control server before waiting for additional commands.

Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. More information and indicators of compromise are available for ThreatStream users here

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.