The Spyrats of Oceanlotus Malware Analysis White Paper Contents

The Spyrats of Oceanlotus Malware Analysis White Paper Contents

The SpyRATs of OceanLotus Malware Analysis White Paper Contents Introduction ............................................................................................4 C2 .............................................................................................................. 32 Protocol ............................................................................................ 32 Components ............................................................................................4 Commands ...................................................................................... 33 Backdoor Error Codes ................................................................. 34 Roland RAT ..............................................................................................4 CobaltStrike Beacon #1 ................................................................... 35 Overview ...................................................................................................4 Overview ................................................................................................ 35 Features ....................................................................................................4 Deployment .......................................................................................... 36 Behavior ....................................................................................................5 C2 .................................................................................................................7 CobaltStrike Beacon #2 ................................................................... 36 Protocol ...............................................................................................7 Overview ................................................................................................ 36 Commands ...................................................................................... 10 Deployment .......................................................................................... 36 CamCapture Plugin ............................................................................14 Behavior ................................................................................................. 37 Overview ................................................................................................ 14 Rizzo ........................................................................................................ 39 Features ................................................................................................. 15 Overview ................................................................................................ 39 Exported Functions ........................................................................... 15 Screenshot Grabbing Exports .................................................. 15 Behavior ................................................................................................. 39 VIDEO Capture Exports ............................................................... 16 C2 .............................................................................................................. 41 Helper Exports ............................................................................... 17 Protocol ............................................................................................ 41 Unused Exports ............................................................................. 17 Commands ...................................................................................... 42 ...............................................................................................18 Remy RAT Denis .........................................................................................................42 ................................................................................................ 18 Overview Overview ................................................................................................ 42 ................................................................................................. 18 Features Behavior ................................................................................................. 42 Deployment .......................................................................................... 18 Network Intelligence ........................................................................ 45 Behavior ................................................................................................. 18 167.114.44.146 .................................................................................. 45 C2 .............................................................................................................. 23 Whois ................................................................................................ 45 Protocol ............................................................................................ 23 Domains ........................................................................................... 46 Commands ...................................................................................... 29 First seen ......................................................................................... 46 Splinter RAT .......................................................................................... 30 87.117.234.172 .................................................................................. 47 Whois ................................................................................................ 47 Overview ................................................................................................ 30 Domains ........................................................................................... 47 Features ................................................................................................. 30 First seen ......................................................................................... 47 Behavior ................................................................................................. 30 27.102.67.42 ........................................................................................ 48 Whois ................................................................................................ 48 Malware Analysis White Paper : The SpyRATs of OceanLotus 2 89.249.65.134 ..................................................................................... 48 Domains ........................................................................................... 50 Whois ................................................................................................ 48 First seen ......................................................................................... 50 Domains ........................................................................................... 49 First Seen ......................................................................................... 49 Conclusions........................................................................................... 50 185.244.213.28 ................................................................................. 49 Appendix ................................................................................................ 50 Whois ................................................................................................ 49 Malware Analysis White Paper : The SpyRATs of OceanLotus 3 Introduction During an incident response investigation in the final quarter share subtle code similarities with “Backdoor.Win32.Denis” of 2017, Cylance® incident responders and threat researchers (Kaspersky), “WINDSHIELD” and “KOMPROGO” (FireEye). uncovered several bespoke backdoors deployed by OceanLotus Roland was of particular interest in that it was carefully Group (a.k.a. APT32, Cobalt Kitty), as well as evidence of the developed to mimic legitimate software DLLs developed by threat actor using obfuscated CobaltStrike Beacon payloads the victim organization. to perform C2. The malware C2 protocols were largely tailored for each target, The threat actor routinely leveraged PowerShell within the and supported a range of communication methods, from environment, using one-liners to download/deploy malware, raw data over TCP sockets to HTTP/S proxying. In addition, as well as obfuscators and reflective PE/shellcode loaders the threat actor relied heavily upon CobaltStrike Beacon for from various exploit kits (including MSFvenom, Veil, and providing malleable C2 communications. DKMC), allowing much of the malware to operate in-memory, with no on-disk footprint. The remaining white paper is dedicated to in-depth technical analysis of the malware, C2 protocols, TTPs, and general The remote access trojans developed by OceanLotus Group observations. (Roland, Remy, and Splinter, named after famous rodents) Components During the investigation, the following backdoors were uncovered: File Name Classification Details certcredprovider.dll.mui Malware/Backdoor Roland RAT underwears.png Malware/Backdoor Remy RAT wpfgfx_v0300.dll Malware/Backdoor Splinter RAT plugin.lst Malware/Infostealer CamCapture plugin user.ico Malware/Backdoor Obfuscated CobaltStrike Beacon img.png Malware/Backdoor Obfuscated named pipe backdoor (from CobaltStrike) mobsync.exe Malware/Backdoor Rizzo varies Malware/Backdoor Denis Roland RAT Classification Malware/Backdoor Aliases Size 245 KB (250,880 bytes) Type Win32 PE (DLL) File Name certcredprovider.dll.mui Timestamp

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    54 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us