Emulating the Southeast Asian Adversary OceanLotus – AttackIQ

OceanLotus, also known as APT32, Ocean Buffalo, and SeaLotus, is a highly sophisticated adversary operating on behalf of the interests of the Vietnamese government that was first identified by the Sky Eye Laboratory in May 2015 but whose activities can be traced back to at least 2012. The adversary primarily focuses on strategic, political, and economic targets, especially in Southeast Asia. Their targets include private corporations in the manufacturing, consumer product, and hospitality sectors as well as foreign governments, political dissidents, and journalists.

OceanLotus uses off-the-shelf tools and custom-built malware tailored to their specific targets to conduct strategic web compromises against victim networks. Since its discovery, OceanLotus’ common access vectors have often involved social engineering activities and watering hole attacks but have recently shifted to exploiting 0-day and N-day vulnerabilities and compromising IoT devices.

AttackIQ has released a content bundle that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by OceanLotus during its latest operations to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital to reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate the performance of security controls against a highly elusive, sector-focused long-standing adversary.
  • Assess your security posture against the Tactics, Techniques and Procedures (TTPs) that OceanLotus has successfully employed during two large-scale, high-impact operations.
  • Continuously validate detection and prevention channels against a highly sophisticated and politically motivated threat.

OceanLotus – 2021-06 – Operation OceanStorm

Click for larger

This attack graph is based on a report published by QiAnXin in August 2021, which detailed that OceanLotus had been observed conducting activities against high-profile targets by exploiting 0-day and N-day vulnerabilities. This indicates a change in the adversary’s behavior given that, since its discovery in 2015, its attacks have been characterized by using phishing emails as the initial access method.

During this activity, researchers observed the group using various malicious scripts aimed at the reconnaissance of the compromised system’s environment and the network to which it belongs. Furthermore, the group has conducted Brute Forcing activities against multiple remote services to move laterally to additional systems.

In addition, OceanLotus was observed deploying Cobalt Strike to establish covert two-way communications between its infrastructure and the compromised system, and the hacktool known as Mimikatz, to extract local credentials.

Click for larger

The first stage begins with the execution of malicious code via Load Library and Create Remote Thread. Once executed, the script performs an open port scan in the local network searching for 21, 139, 389, 445, 3389 ports. If open remote systems are identified, the script continues by brute-forcing FTP (21) and SMB (445) protocols.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

Network Service Discovery (T1046): This scenario uses nmap for scanning hosts that are open on ports 21, 139, 389, 445, and 3389 that would identify remotely accessible hosts to the attacker.

Brute Force: Password Spraying (T1110.003): The adversary attempts to acquire valid account credentials by brute-forcing a password list against FTP and SMB protocols.

Click for larger

This stage focuses on gathering information about the local and network environment of the compromised system. Throughout this phase, the adversary collects information about the system, its hardware, its location, available files and directories, installed programs and security software, running processes and services, and network configurations. Finally, the collected information is compressed and exfiltrated to the adversary’s infrastructure.

System Information Discovery (T1082): This scenario executes the Get-ComputerInfo cmdlet via PowerShell to retrieve information about the compromised host.

System Network Connections Discovery (T1049): This scenario executes the Get-NetDomain PowerView cmdlet to retrieve different information from the asset joined domain (if any), such as domain name, domain controllers, and other information such as forests.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Software Discovery (T1518): This scenario will list all the applications installed, as well as their versions using a PowerShell Script.

Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.

System Owner/User Discovery (T1033): This scenario will call the GetUserNameW Windows API call to retrieve the name of the user associated with the current thread.

System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.

System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat to collect active connections and any listening services running on the host.

Peripheral Device Discovery (T1120): This scenario executes the PowerShell cmdlet Get-Disk to gather valuable information about the physical drives and partitions currently installed a Windows system.

Process Discovery (T1057): The Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

System Service Discovery (T1007): This scenario executes the PowerShell cmdlet Get-Service to gather valuable information about installed services and applications on a compromised Windows system.

Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST requests.

Click for larger

The last stage of this attack begins with the deployment of Cobalt Strike, which is executed by injecting its shellcode into a running process or by creating a new service.

Once the execution is achieved, a scheduled task is created to ensure persistence.

Finally, the Mimikatz hacktool is deployed to dump credentials, which are ultimately exfiltrated.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

Windows Service (T1543.003): Use the native sc command line tool to create a new service that will be executed at reboot.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

Access Token Manipulation: Token Impersonation/Theft (T1134.001): This scenario uses the named pipe impersonation method leveraged by Cobalt Strike to escalate privileges.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

OceanLotus – 2022-11 – Operation Typhoon

The following emulations are based on a report published in November 2022 by QiAnXin, which details that, during 2021, OceanLotus was observed exploiting three different 0-day and various N-day vulnerabilities, that were used as a primary infection vector against multiple targets.

During this activity, dubbed “Operation Typhoon”, an undocumented trojan nicknamed “Caja” was uncovered, which was shipped in three different versions tailored for ARM, MIPS, and x86 architectures.

Throughout the operation, the group employed various tools, such as webshells, port scanners, and communication tunnelers, in conjunction with several loaders impacting different architectures, such as Windows and Linux. In addition, OceanLotus also utilized commercial tools such as Cobalt Strike and Mimikatz and several open-source utilities to facilitate their goals.

The emulation of these activities is divided into multiple attack graphs, which focus on the behaviors exhibited in three different systems namely the Beachhead, a Windows endpoint, and a Linux endpoint.

OceanLotus – 2022-11 – Operation Typhoon (Windows Beachhead)

Click for larger

This attack graph is focused on emulating the different behaviors exhibited by OceanLotus during the infection of the “Beachhead”, which is the system where the adversary gains an initial foothold and from which it proceeds to move laterally.

Click for larger

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

Click for larger

This stage deploys the Mimikatz hacktool, which is used to dump credentials from the compromised system. Lastly, the attacker will attempt to move laterally to any available asset belonging to the compromised network by using Windows Management Instrumentation (WMI).

Windows Management Instrumentation (T1047): This scenario will attempt to move laterally to any available asset inside the network through the use of Windows Management Instrumentation (WMI).

OceanLotus – 2022-11 – Operation Typhoon (Windows Endpoint)

Click for larger

This attack graph is focused on emulating the different behaviors exhibited by OceanLotus during the infection of a Windows endpoint that belongs to the compromised network.

Click for larger

During the first stage, the attacker will attempt to deploy Shhloader or Mortar Loader into the system. Once the intrusion is successful, Cobalt Strike will be deployed and executed via MSBuild on the compromised system.

Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001): This scenario implements a batch script that allows an attacker to use legitimate development utilities to execute arbitrary code.

Click for larger

In the second stage of the attack, an open-source tunneling tool called RPIVOT is deployed and executed on the compromised system. Then, a script is executed to discover browser bookmark information, which is then exfiltrated over HTTP. Finally, the attacker creates a new account and disables User Account Control (UAC) via Registry.

Application Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made by OceanLotus by making an HTTP request to an AttackIQ server.

Browser Information Discovery (T1217): This scenario uses a PowerShell script to enumerate browser bookmarks to gain information about the hosts and their users.

Create Account: Local Account (T1136.001): Emulates the creation of a new account using net user.

Bypass User Account Control (T1548.002): OceanLotus attempts to disable UAC by setting a registry key.

OceanLotus – 2022-11 – Operation Typhoon (Linux Endpoint)

Click for larger

This attack graph is focused on emulating the different behaviors exhibited by OceanLotus during the infection of a Linux endpoint that belongs to the compromised network.

This emulation involves the deployment of a Trojan called “Caja” to the system, which is used to run an environment discovery routine to collect system information, files and directories, system network configurations and user information. Finally, the data is collected and encrypted for exfiltration over HTTP.

System Information Discovery (T1082): The malware then collects information about what Linux kernel is running by executing uname -rms.

System Network Configuration Discovery (T1016): This scenario acquires the network configuration of the asset by using standard Unix utilities, such as netstat, route, ifconfig, and arp –a.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by OceanLotus.

PCAP Replay – SMB Brute-Force: This scenario will simulate an SMB brute force attack sending 222 login attempts against an SMB server on port 445/TCP. With this scenario, it is possible to correctly test brute force attack detection and prevention mechanisms by leveraging the use of malicious PCAP files and replaying them between two selected assets.

Detection and Mitigation Opportunities

Given the vast number of techniques used by this adversary, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

1a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

1b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

2. Windows Service (T1543.003):

Actors can create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.

2a. Detection

The following rules can help identify when that persistence mechanism is being set.

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS (‘sc’ AND ‘create’ AND ‘start= “auto”’)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

3. Exfiltration Over C2 Channel (T1041):

Adversaries may perform the exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.

3a. Detection

In some cases, data may be exfiltrated without any throttling or additional encoding or encryption from the backdoor. If that’s the case, data is sent via HTTP POST requests in plain text and therefore should be easier to detect using Data Loss Prevention controls.

Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

Wrap-up

In summary, these attack graphs will help organizations evaluate security and incident response processes and support the improvement of your security control posture against a politically motivated adversary that operates on behalf of the interests of the Vietnamese government. With data generated from continuous testing and the use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.

Source: Original Post