Today > 1 Critical | 3 High | 6 Medium vulnerabilities   -   You can now download lists of IOCs here!

Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader

Sept. 24, 2024, 3:08 p.m.

Description

The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution.

Date

Published: Sept. 24, 2024, 2:46 p.m.

Created: Sept. 24, 2024, 2:46 p.m.

Modified: Sept. 24, 2024, 3:08 p.m.

Indicators

64.176.58.16

Attack Patterns

Cobalt Strike

APT-C-00 (OceanLotus)

T1059.006

T1027.002

T1547.001

T1012

T1113

T1204.002

T1016

T1082

T1057

T1105

T1083

T1055

T1140

T1033

T1027