Tracking OceanLotus’ New Downloader, KerrDown


Tracking OceanLotus’ New Downloader, KerrDown (Feb 1, 2019)

Advanced Persistent Threat (APT) group, “OceanLotus” (also known as APT32), has been observed utilising a new custom downloader family, named “KerrDown,” according to researchers at Palo Alto Networks. The downloader can be distributed in one of two ways: a malicious Microsoft Office Document with macros, or a RAR archive containing a legitimate program with DLL side-loading. The document and RAR archive are both in Vietnamese which indicates the likely targets are Vietnamese-speakers. The malicious Word document and RAR archive will drop the KerrDown DLLs that install the final payload of the malware, which appears to be a variant of Cobalt Strike Beacon.

Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided, especially ones that request macros to be enabled, and properly reported to appropriate personnel.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.