In a cyber intrusion dubbed Operation Cobalt Kitty, the OceanLotus hacking group — otherwise known as APT32 — played cat-and-mouse with a security firm that was tracking its every move.
Cybereason (a Boston, Mass.-based provider of threat detection solutions) had been employed by a large global firm operating in Asia that suspected, but could not locate, a breach. The investigators found evidence of an ongoing intrusion by advanced hackers it recognized as the OceanLotus Group. Earlier this month, FireEye all but declared the group — designated by FireEye as APT32 – to be a Vietnamese nation-state actor.
Cybereason’s investigation showed that this group had been inside the Asian firm for more than a year before it was discovered. Furthermore, the attacker took ongoing evasive action to retain its presence even though it almost certainly knew it had been detected.
During the investigation, Cybereason found more than 70 payloads and numerous domains. It discovered six custom-built tools that it considers to be the OceanLotus Group’s signature tools. FireEye’s report noted five such tools; but Cybereason also detected Backdoor.Win32.Denis, first described by Kaspersky just last month, which it now adds to the OceanLotus armory. Win32.Denis uses DNS tunneling for C&C communications.
Cybereason was able to uncover the entire lifecycle of the Cobalt Kitty operation. The attack started with targeted spear-phishing emails: one with a link to a fake Flash installer and another with an attached weaponized Office document. The Word document contained a malicious macro that creates persistence on the compromised machine using two scheduled tasks. In both cases, the end purpose was to download secondary payloads including Cobalt Strike Beacon.
The process is ‘fileless‘. Persistence is maintained through the Windows registry, services and scheduled tasks. A PowerShell script is used to fetch Cobalt Strike Beacon, which also operates in memory.
Cybereason reported its discoveries to the client, who then used both Windows Group Policy Object (GPO) and Cybereason’s execution prevention feature that prevents PowerShell execution. But the attacker didn’t give up — the group adapted, initially concentrating on its own custom and stealthy backdoors. It then resumed the PowerShell operation. “The attackers used a modified version of a publicly available tool called PSUnlock to bypass the PowerShell execution restrictions,” notes the report.
Cybereason suspects that the group were ready and prepared for this scenario. “The attackers’ remarkable ability to quickly adapt,” suggests Cybereason, “demonstrates their skill and familiarity with and command of the company’s internal network and its operations.”
The attacker also used DLL hijacking leveraging Windows Search, Google Update and Kaspersky’s Avpia to load fake DLLs containing malicious code. It used DNS tunneling for C2 communication and data exfiltration. “To ensure that the DNS traffic will not be filtered,” reports Cybereason, “the attackers configured the backdoor to communicate with Google and OpenDNS DNS servers, since most organizations and security products will not filter traffic to those two major DNS services.”
It also employed an innovative additional and difficult-to-detect C2 channel by installing a backdoor macro in Outlook. It was able to execute commands, deploy tools and steal data via email. The macro looks for incoming commands, deletes the relevant email, executes the discovered commands from the deleted items folder, and finally deletes all evidence of the emails sent or received from the attackers.
“This backdoor has not been publicly documented,” says Cybereason, “and is one of the most unique TTPs with regards to the threat actor. Outlook backdoors are not a new concept and have been observed in different APTs in the past. However, this specific type of Outlook backdoor can be considered as one of the ‘signature tools’ of the OceanLotus Group.”
Similar to the methodology attributed by FireEye to APT32, the group combined its custom backdoors with freely available tools; for example, using Mimikatz as the primary tool to obtain credentials and aid lateral movement.
Throughout the operation, the OceanLotus Group showed a preference for using and adapting such publicly available tools. “However, the attackers should not be considered script-kiddies,” says the report. “Most of the publicly available tools were either obfuscated, modified and even merged with other tools to evade antivirus detection. This type of customization requires good coding skills and understanding of how those tools work.”
Cybereason does not go as far as FireEye in suggesting that OceanLotus may be state-sponsored, but it describes the group as “determined and motivated… they never gave up, even when part of their attack infrastructure was exposed and shut down by the defenders.” It doesn’t name the victim firm, nor does it specifically tie the intrusion to Vietnamese interests. All that Cybereason would tell SecurityWeek is, “We can only specify that the attackers are targeting a global corporation in Asia.”
Nevertheless, a wider analysis of OceanLotus suggests that “Most of the samples caught in-the-wild seem to target Vietnamese speakers. Some of the samples exhibit clear evidence of targeting Vietnamese entities.”
As for the group itself, Operation Cobalt Kitty outlines attackers with “a remarkable ability to quickly adapt, introduce new tools and fine tune existing ones to bypass security solutions and avoid detection. The high number of payloads and the elaborate C2 infrastructure used in this attack can be indicative of the resources that the attackers had at their disposal. Simultaneously orchestrating multiple APT campaigns of such magnitude and sophistication takes time, financial resources and a large team who can support it.”
Cybereason closed a $25 million Series B funding round in May 2015, and quickly followed that with a $59 million Series C funding round in October 2015. Overall, the company has raised more than $88 million in funding.