OceanLotus APT Group also known as APT32, SeaLotus, and CobaltKitty uses a suite of remote access trojans dubbed "Ratsnif" to leverage new network attack capabilities.
OceanLotus APT is believed to be a Vietnam-linked state-sponsored group, which specializes on cyber espionage operations. The group has been active since at least 2013 and mainly targets foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The hackers typically combine unique malware with commercially-available tools, like Cobalt Strike.
Experts at Blackberry Cylance Threat Research Team detected and analyzed four samples of the Ratsnif RAT family showing its evolution from a debug build to a fully working trojan with a slew of capabilities, including features like packet sniffing, ARP poisoning, DNS and MAC spoofing, HTTP redirection and injection, SSL hijacking, and setting up remote shell access.
The three out of four analyzed versions dated back to 2016 while the latest one was compiled in H2 2018. Two out of three of 2016 samples appear to be versions under development and testing, but the third one created September 13, 2016, was “one of the earlier Ratsnifs to be deployed by OceanLotus in-the-wild.” This variant did not have the functionality of the 2018 strain, but it could set up a remote shell and serve for ARP poisoning (to route traffic through the Ratsnif), DNS spoofing, and HTTP redirection.
Upon execution, Ratsnif creates a run once mutex named "onceinstance", initialises Winsock version 2.2, and harvests system information such as the username, computer name, workstation configuration (via NetWkstaGetInfo API), Windows system directory and network adapter information. The gathered data is then sent to the attacker's C2 server via an HTTP.
All observed Ratsnif samples have been hardcoded with one or more C2 domains, although only one of them seemed to have ever been active.
Unlike the 2016 variant the latest strain does not rely on C2 for operation and it also the first version to introduce a configuration file along with new capabilities, such as HTTP injection, protocol parsing, and SSL hijacking.
The 2018 variant employs multiple sniffers for harvesting sensitive information from packets and to minimize the amount of data the attacker has to collect, exfiltrate and process. It also gives a clue as to what kind of information the attacker is interested in.
“Ratsnif is an intriguing discovery considering the length of time it has remained undetected, likely due to limited deployment. It offers a rare glimpse of over two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes. While all samples borrow heavily from open-source code/snippets, overall development quality is deemed to be poor. Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” concluded the researchers.