New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

Nov. 6, 2024, 11:36 a.m.

Description

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation package, exploiting the MST file to execute malicious code. The group has evolved its methods, shellcode-izing their RUST Trojan for improved memory countermeasures. The campaign's execution chain involves spear-phishing emails and employs DLL side-loading techniques. This new approach demonstrates the group's continued sophistication and adaptability in their cyber espionage activities.

External References

https://ti.qianxin.com/blog/articles/new%20-trend-in-msi-file-abuse-new-oceanlotus-group-first-to-use-mst-files-to-deliver-special-trojan-en/
https://otx.alienvault.com/pulse/672b518330e48c1508a616c7
Tags
shellcode
dll side-loading
spear-phishing
2024-11-06
rust trojan
governmental targets
tromas
mst files
apt-q-31
msi abuse

Date

  • Created: Nov. 6, 2024, 11:22 a.m.
  • Published: Nov. 6, 2024, 11:22 a.m.
  • Modified: Nov. 6, 2024, 11:36 a.m.

Attack Patterns

  • Tromas
  • OceanLotus
  • T1574.002
  • T1218.007
  • T1059.001
  • T1204.002
  • T1055
  • T1036
  • T1027

Additional Informations

  • Government