Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“OceanLotus” Spies Use New Backdoor in Recent Attacks

OceanLotus, a cyber-espionage group believed to be operating out of Vietnam, has been using a new backdoor in recently observed attacks, but also using previously established tactics, ESET reveals.

OceanLotus, a cyber-espionage group believed to be operating out of Vietnam, has been using a new backdoor in recently observed attacks, but also using previously established tactics, ESET reveals.

Also known as APT32 and APT-C-00, the advanced persistent threat (APT) has been targeting high-profile corporate and government organizations in Southeast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The group is well-resourced and determined and is known to be using custom-built malware in combination with techniques long known to be successful.

One of the latest malware families used by the group is a fully-fledged backdoor that provides operators with remote access to compromised machines, along with the ability to manipulate files, registries, and processes, as well as the option to load additional components if needed.

For distribution purposes, OceanLotus uses a two-stage attack that employs a dropper to gain initial foothold on the targeted system and prepare the stage for the backdoor, ESET explains in a new report (PDF).

Spear-phishing emails are used to lure victims into opening an attachment that uses a fake icon to load password-protected decoy document while the malicious dropper is executed in the background.

Fake installers posing as updates for popular applications are also used, as part of watering hole attacks, where websites that the victims are likely to visit are compromised.

The dropper package includes components executed in a number of stages involving heavy code obfuscation to prevent detection. The malware authors also included garbage code in the dropper, for similar purposes.

To achieve persistence, the dropper creates a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges. Code designed to delete the lure document is also dropped onto the system.

A digitally-signed Symantec executable (rastlsc.exe) is also dropped, along with a malicious Dynamic Link Library (DLL) named rastls.dll (detected as Win32/Salgorea.BD). The signed executable loads the malicious DLL, which makes the malicious behavior look legitimate, a technique (called DLL side-loading) that has been abused before.

The backdoor supports over 23 commands to: fingerprint the system; read a file or registry key; create a process; create a file, a registry entry or a stream in memory; write to or query the registry; search for files on the system; move files to directories or delete them from disk; list the drives mapped to the system; create or delete directories; call the PE Loader; drop and execute a program; run shellcode in a new thread, and more.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address. The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” ESET concludes.

Related: Vietnamese Spies Rival Notorious Russian Group in Sophistication

Related: How APT32 Hacked a Global Asian Firm With Persistence

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.