APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises

Jan. 9, 2025, 9:38 a.m.

Description

APT32 (OceanLotus) has launched a sophisticated attack targeting Chinese cybersecurity professionals and specific large enterprises. The group released a Cobalt Strike exploit plugin with a Trojan on GitHub, embedding a malicious .suo file into a Visual Studio project. When compiled, the Trojan executes automatically. The attack, occurring between mid-September and early October 2024, used GitHub poisoning as the primary vector. The attackers disguised themselves as a security researcher from a leading Chinese FinTech company, publishing malicious projects with Chinese descriptions. The technique involved calling the .suo file, which executes once and then self-deletes, making detection challenging. The malware uses dll hollowing and communicates via the Notion API to evade detection.

External References

https://threatbook.io/blog/id/1100
https://otx.alienvault.com/pulse/677f8f51560c6b5abcb3a87c
Tags
cobalt strike
dll hollowing
2025-01-09
oceanlotus
notion api

Date

  • Created: Jan. 9, 2025, 8:56 a.m.
  • Published: Jan. 9, 2025, 8:56 a.m.
  • Modified: Jan. 9, 2025, 9:38 a.m.

Attack Patterns

  • Cobalt Strike - S0154
  • APT32
  • T1588.001
  • T1583.001
  • T1055.001
  • T1102.002
  • T1553.002
  • T1547.001
  • T1204.002
  • T1573
  • T1218
  • T1566.001
  • T1055
  • T1036
  • T1140
  • T1027
  • T1566
  • T1190
  • T1059

Additional Informations

  • Technology
  • China