The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. It is not known what the next payload is.
Vietnam’s OceanLotus (APT32) cyber-espionage group has launched a watering hole large scale campaign targeting users in Southeast Asia. Over 20 websites compromised
Vietnam’s OceanLotus (APT32) cyber-espionage group has compromised over 20 websites as part of a watering hole large scale campaign targeting users in Southeast Asia. It has been discovered bu ESET cyber security experts. The cyber attacks, active since September 2018, among others, the websites of the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper or blog websites. The new malicious campaign appears to be an evolution of a watering hole scheme documented in 2017. It shows the use of various techniques to hinder analysis, such as public key cryptography to exchange an AES session key used to encrypt further communications, and the use of WebSocket to hide their malicious communications. Moreover, despite victims were notified about the cyber aggressionm, most of the websites continue to serve the malicious script injections.
The new APT32 cyber attacks are an evolution of the “Framework B” malicious campaign and show a level of sophistication never before seen for the group. OceanLotus should be closely tracked
According to ESET, the OceanLotus campaign is an evolution of “Framework B” watering hole scheme, documented by Volexity cyber security experts in 2017. However, APT32 have stepped up their game to complicate and slow down analysis of their malicious framework. Moreover, despite being actively tracked by many researchers, the malicious hackers are still very busy attacking targets in Southeast Asia. They also regularly improve their toolset, including their watering hole framework and their Windows and MacOS malware. The recent updates to their watering hole framework, highlighted in the ESET company’s blog, show a level of sophistication never before seen for OceanLotus. This is yet another reminder that this APT group should be closely tracked.