Security researchers at Cylance discovered that the
steganography to deliver a version of Denes backdoor and an updated version of Remy backdoor.
The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.
The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
“While continuing to monitor
Threat actors used a custom
Hackers already employed the same technique in attacks carried out in September 2018, the payload extraction procedure used by the attackers is the same.
The two loaders discovered by Cylance and used by the APT group use side-loaded DLLs and an AES128 implementation from Crypto++ library for payload decryption.
Below details of the two malware used by the APT in the attacks:
Steganography Loader #2 – Features
The attack chain starts with the obfuscated loader payload being decrypted and executed to load one of the two backdoors.
To make hard the analysis of the malware, backdoor DLLs are heavily obfuscated and C2 communication encrypted.
A specific C2 communication module is used to manage connections via HTTP/HTTPS channels with the command-and-control infrastructure, it also includes built-in proxy bypass functionality.
Further technical details, including Indicators of Compromise, are included in the report published by Cylance.