Delaware, USA – November 22, 2018 – The OceanLotus group (aka APT32 or APT-C-00) conducts new large-scale cyber espionage campaign. The APT group is active since at least 2012 and mainly interested in government entities. Ongoing cyber espionage campaign started this September, the adversaries conduct watering hole attack compromising websites in Southeast Asia. Researchers from ESET discovered 21 websites in Vietnam and Cambodia that redirect users to domains controlled by the OceanLotus group. For each attacked site, adversaries register a different domain, each one being hosted on a different server, and create a different malicious script. First stage script checks user’s browser and browser extensions, decrypts C&C address and then receives and executes a second-stage script. A second-stage script gathers information about the user-agent, the HTTP Referer, the local and external IP address, the browser plugins, the browser’s configured language preferences and send it to the C&C server. If the user is in the best interests of the group, the script downloads the final payload from the C&C server and installs it.
The OceanLotus group regularly improve their toolset, including their Windows and MacOS malware. It is still unknown which malware they use in this campaign as a final payload. To detect malicious scripts and connections to attackers’ servers used in this watering hole campaign, you can use SIEM rules from Threat Detection Marketplace:
OceanLotus watering hole attack (Firewall): https://tdm.socprime.com/tdm/info/1370/
OceanLotus watering hole attack (Proxy): https://tdm.socprime.com/tdm/info/1371/
OceanLotus watering hole attack (Sysmon): https://tdm.socprime.com/tdm/info/1372/