A year-long battle between an Asia-based corporation and a cyberespionage APT gang enabled Cybereason Labs to gather enough evidence to attribute the attack to the OceanLotus Group.
The back-and-forth struggle, dubbed Operation Cobalt Kitty, saw OceanLotus utilize a sophisticated spearphishing attack targeting the company's executives to compromise the computers of several key corporate officers along with 40 PCs, as well as, the domain controller, file, web application and database servers, Cybereason said in a blog. While the gang gained access to the company's data, the good guys managed to learn quite a bit about their adversary.
Several publicly-available tools had been modified and used along with six so-far undocumented custom-built tools were discovered, the latter of which Cybereason said are OceanLotus' signature tools. These included a backdoor that targets Microsoft Outlook and another that leverages DLL hijacking attacks against legitimate Microsoft, Google and Kaspersky applications.
“Based on the tools, modus operandi and IOCs (indicators of compromise) observed in Operation Cobalt Kitty, Cybereason attributes this large-scale cyber espionage APT to the “OceanLotus Group” (which is also known as, APT-C-00, SeaLotus and APT32).
OceanLotus is thought to align with Vietnamese-state interests has been actively compromising private corporations and targeting foreign governments, dissidents and media since at least 2014, according to researchers at FireEye, who have designated this group as APT32.
Cybereason called OceanLotus a crafty group that changed tactics and conducted a multi-stage attack in an attempt to thwart the defenders.
“They continuously changed techniques and upgraded their arsenal to remain under the radar. In fact, they never gave up, even when the attack was exposed and shut down by the defenders,” Cybereason wrote.
The initial attack saw the attackers dropping Visual Basic and PowerShell scripts into a hidden folder and then created a persistence using Windows' registry, services and scheduled tasks.
After the company was warned about the attack and took action the cybercriminal moved to stage two, within 48 hours, which included using the aforementioned back doors and DNS tunneling. Cybereason noted that the backdoors proved the attackers were not only resilient, but skillful in that neither backdoor had been seen before.
The third phase saw the attackers begin to steal credentials off the infected computers, from Microsoft Outlook, and the malware began moving laterally through the computer network.
Then during the fourth and final stage the bad guys went back to the beginning and attempted to reestablish PowerShell using new tools designed to bypass the previously installed security.
The fact that attackers were able to circumvent the initial security was not surprising to Cybereason, “The attackers obviously invested significant time and effort in keeping the operation undetected, striving to evade antivirus detection.”