Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader
Sept. 24, 2024, 3:08 p.m.
Description
The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 24, 2024, 2:46 p.m. | Sept. 24, 2024, 2:46 p.m. | Sept. 24, 2024, 3:08 p.m. |
Attack Patterns
Cobalt Strike
APT-C-00 (OceanLotus)
T1059.006
T1027.002
T1547.001
T1012
T1113
T1204.002
T1016
T1082
T1057
T1105
T1083
T1055
T1140
T1033
T1027