OceanLotus APT campaign debuts new backdoor that resembles old Korplug RAT
OceanLotus APT campaign debuts new backdoor that resembles old Korplug RAT

The suspected Vietnamese APT group OceanLotus has added a new backdoor to its repertoire of malicious tools – one that includes capabilities for enabling file, registry and process manipulation, and also downloading more malicious files.

According a Mar. 13 blog post by ESET researcher Tomas Foltyn, the hackers appears to be delivering the malware via spear phishing and watering hole campaigns, while relying on tried-and-true tactics it has previously used to remain undetected, including heavy code obfuscation and DLL side-loading.

The backdoor, identified as Korplug.MK, has been primarily targeting East Asian countries such as Vietnam, the Philippines, Laos and Cambodia. ESET spokesperson Anna Keeve told SC Media via email that the malware behaves similarly to the PlugX RAT, which is also nicknamed Korplug and has existed since 2012; however, the two programs are not to be confused with each other.

OceanLotus, aka APT32 and APT-C-00, has been distributing the backdoor, which ESET discovered several months ago, via spear phishing emails and watering hole campaigns.

The phishing emails include attached malicious documents containing the dropper Win32/TrojanDropper.Agent.RUI, which delivers Korplug while also presenting users with a legit-looking decoy document. Often written in English or Vietnamese, sample decoys have presented themselves as technical specs on an Mi-17 Russian helicopter, a fake resume, various business documents, and a document containing details of a complaint sent to the Vietnamese telecom company Saigontel.

The compromised websites used in watering hole attacks attempt to trick visitors into thinking they're installing an installer or software update, when they're actually downloading a dropper that once again produces Korplug. In a full technical write-up, ESET reports that one dropper, RobototFontUpdate.exec, comes disguised as a fake font update, while another pretends to be a repackaged Firefox installer.

An analysis of the RobototFontUpdate.exec dropper found that it leveraged heavy code obfuscation and even some garbage code to thwart any attempts at detection. After establishing persistence and deleting the lure document, the dropper produces two more files: a digitally-signed executable from a real software developer – McAfee and Symantec among them – and the Korplug backdoor, in the form of a malicious Dynamic Link Library (DLL) file with the same name as the aforementioned executable (but with a different extension).

“The two files figure in a tried-and-tested trick called ‘DLL side-loading', which consists in co-opting a legitimate application's library-loading process by planting a malicious DLL inside the same folder as the signed executable,” the ESET blog post explains. “This is a way to remain under the radar, since a trusted application with a valid signature is less likely to arouse suspicion.”

After it's officially executed, Korplug fingerprints the infected system, sends the victim's computer and OS data to the command-and-control server, and waits for commands.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address,” the blog post concludes. “The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application.”