Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader

Sept. 24, 2024, 3:08 p.m.

Description

The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247500701&idx=1&sn=7f4644119574e433a29d215a70658f6b&chksm=f9c1f094ceb67982f950b7569be3d9f5ff176d741f1bef4ea2e4fc412305a4dd04bdc7b869fb&scene=178&cur_album_id=1955835290309230595#rd
https://otx.alienvault.com/pulse/66f2d0c33887a83dd1a896ab
Tags
cobaltstrike
2024-09-24

Date

  • Created: Sept. 24, 2024, 2:46 p.m.
  • Published: Sept. 24, 2024, 2:46 p.m.
  • Modified: Sept. 24, 2024, 3:08 p.m.

Indicators

  • 64.176.58.16
Download all indicators here!

Attack Patterns

  • Cobalt Strike
  • APT-C-00 (OceanLotus)