2 July 2019

OceanLotus APT leverages previously undetected Ratsnif trojan for network attacks

OceanLotus APT leverages previously undetected Ratsnif trojan for network attacks

OceanLotus APT Group also known as APT32, SeaLotus, and CobaltKitty uses a suite of remote access trojans dubbed "Ratsnif" to leverage new network attack capabilities.

OceanLotus APT is believed to be a Vietnam-linked state-sponsored group, which specializes on cyber espionage operations. The group has been active since at least 2013 and mainly targets foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The hackers typically combine unique malware with commercially-available tools, like Cobalt Strike.

Experts at Blackberry Cylance Threat Research Team detected and analyzed four samples of the Ratsnif RAT family showing its evolution from a debug build to a fully working trojan with a slew of capabilities, including features like packet sniffing, ARP poisoning, DNS and MAC spoofing, HTTP redirection and injection, SSL hijacking, and setting up remote shell access.

The three out of four analyzed versions dated back to 2016 while the latest one was compiled in H2 2018. Two out of three of 2016 samples appear to be versions under development and testing, but the third one created September 13, 2016, was “one of the earlier Ratsnifs to be deployed by OceanLotus in-the-wild.” This variant did not have the functionality of the 2018 strain, but it could set up a remote shell and serve for ARP poisoning (to route traffic through the Ratsnif), DNS spoofing, and HTTP redirection.

Upon execution, Ratsnif creates a run once mutex named "onceinstance", initialises Winsock version 2.2, and harvests system information such as the username, computer name, workstation configuration (via NetWkstaGetInfo API), Windows system directory and network adapter information. The gathered data is then sent to the attacker's C2 server via an HTTP.

All observed Ratsnif samples have been hardcoded with one or more C2 domains, although only one of them seemed to have ever been active.

Unlike the 2016 variant the latest strain does not rely on C2 for operation and it also the first version to introduce a configuration file along with new capabilities, such as HTTP injection, protocol parsing, and SSL hijacking.

The 2018 variant employs multiple sniffers for harvesting sensitive information from packets and to minimize the amount of data the attacker has to collect, exfiltrate and process. It also gives a clue as to what kind of information the attacker is interested in.

“Ratsnif is an intriguing discovery considering the length of time it has remained undetected, likely due to limited deployment. It offers a rare glimpse of over two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes. While all samples borrow heavily from open-source code/snippets, overall development quality is deemed to be poor. Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” concluded the researchers.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019