Security researchers at Cylance discovered that the
steganography to deliver a version of Denes backdoor and an updated version of Remy backdoor.
The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.
The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
“While continuing to monitor
Threat actors used a custom
Hackers already employed the same technique in attacks carried out in September 2018, the payload extraction procedure used by the attackers is the same.
The two loaders discovered by Cylance and used by the APT group use side-loaded DLLs and an AES128 implementation from Crypto++ library for payload decryption.
Below details of the two malware used by the APT in the attacks:
Steganography Loader #2 – Features
The attack chain starts with the obfuscated loader payload being decrypted and executed to load one of the two backdoors.
To make hard the analysis of the malware, backdoor DLLs are heavily obfuscated and C2 communication encrypted.
A specific C2 communication module is used to manage connections via HTTP/HTTPS channels with the command-and-control infrastructure, it also includes built-in proxy bypass functionality.
Further technical details, including Indicators of Compromise, are included in the report published by Cylance.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.