OceanLotus APT Enlarges the Arsenal With Ratsnif Malware

Delaware, USA – July 2, 2019 – Threat actor developed Ratsnif remote access trojan in 2016 and used it in cyber espionage campaigns for almost three years. Cylance cybersecurity experts analyzed 4 samples of malware, 3 of which were compiled in August-September 2016 and almost immediately began to be used in attacks. The last Ratsnif sample discovered is dated August 2018 and is significantly different from previous versions. Initially, the trojan was used for DNS spoofing, HTTP redirection, and also to redirect traffic through malware. It collected system information and directly communicated with the command-and-control server. The latest version of Ratsnif is no longer communicating with C&C infrastructure, sending data and receiving instructions from another tool of the group instead. In addition, a new version of trojan can parse HTTP traffic, perform SSL hijacking using SSL certificate dropped along with malware, and use WolfSSL library to decrypt SSL traffic. The malware is installed after the attackers have determined the victim’s network environment, they create the specific config file using reconnoitered data and load it on the infected system. The file also contains information on where to save the stolen credentials and sensitive information as text files for further exfiltration.

OceanLotus group (aka APT32) is allegedly linked to the Vietnamese government and has operated primarily in Southeast Asia since 2012. The group quickly adopts effective techniques and constantly modifies its tools to avoid detection by antivirus solutions. Techniques used by OceanLotus and content to detect them can be explored in MITRE ATT&CK section in Threat Detection Marketplace: https://tdm.socprime.com/att-ck/