Today > | 3 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

Nov. 6, 2024, 11:36 a.m.

Description

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation package, exploiting the MST file to execute malicious code. The group has evolved its methods, shellcode-izing their RUST Trojan for improved memory countermeasures. The campaign's execution chain involves spear-phishing emails and employs DLL side-loading techniques. This new approach demonstrates the group's continued sophistication and adaptability in their cyber espionage activities.

Date

Published: Nov. 6, 2024, 11:22 a.m.

Created: Nov. 6, 2024, 11:22 a.m.

Modified: Nov. 6, 2024, 11:36 a.m.

Attack Patterns

Tromas

OceanLotus

T1574.002

T1218.007

T1059.001

T1204.002

T1055

T1036

T1027

Additional Informations

Government