Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus (Jul 1, 2019)
ThreatVector researchers have published their findings on the usage of a Remote Access Trojan (RAT) suite dubbed “Ratsnif” used by the Advanced Persistent Threat (APT) group “OceanLotus” (APT32, CobaltKitty). The group was discovered to have used Ratsnif since at least 2016 with three out of the four analyzed samples created in 2016 and the fourth in late 2018. The Ratsnif samples have varying malicious capabilities including DNS poisoning, gateway/device ARP poisoning, HTTP injection, and MAC spoofing. At the time of this writing, it is unspecified how OceanLotus is distributing their Ratsnif malware, however, a common tactic used by APT groups is spearphishing so it is possible the malware is being distributed in this manner.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.