New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

Tags

External References

• https://ti.qianxin.com/
• https://otx.alienvault.com/

Description

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation package, exploiting the MST file to execute malicious code. The group has evolved its methods, shellcode-izing their RUST Trojan for improved memory countermeasures. The campaign's execution chain involves spear-phishing emails and employs DLL side-loading techniques. This new approach demonstrates the group's continued sophistication and adaptability in their cyber espionage activities.

Date