event background
In May 2022, NSFOCUS Technology Fuying Laboratory and the Meihua K Team of the Operational Capability Center jointly discovered an abnormal external IP in a key unit of the country. Through the analysis of the attack traffic captured during the attack, it was confirmed that the attack was initiated by overseas Initiated by the APT organization APT32.
NSFOCUS Fuying Laboratory and Operation Capability Center Plum Blossom K team used host behavior monitoring technology to monitor the attacker's attack activities throughout the cycle and blocked their attack activities. During the monitoring process, it was observed that the attacker's activities continued until the middle and late July, which lasted for 2 months. Attackers launched APT targeted attacks on researchers in charge of key subjects in key units, aiming to steal documents and materials, with the goal of stealing confidential information and important documents. If the attacker succeeds in stealing, serious losses will be caused.
Through traffic analysis, it was found that a core manufacturing company in China was also attacked by the organization and remained active. After processing, the attack activities of the organization have been successfully blocked.
Sphere of influence
In this incident, the APT32 organization chose the RemyRAT remote control Trojan horse as a backdoor program and implanted it in a national key unit. Through analysis, this Trojan horse has the following TTP:
Domain
|
ID
|
Name
|
Use—|—|—|—Enterprise
|
T1070
|
0.004
|
file deletion
|
Delete file Enterprise from the file system
|
T1095
|
TCP-based C&C custom communication protocol
|
Use TCP's private communication protocol to interact with C&C Enterprise
|
T1012
|
Query the registry
|
Query registry informationEnterprise
|
T1082
|
System Information Query
|
Get computer name Enterprise
|
T1033
|
System account query
|
Get computer user name Enterprise
|
T1543
||
process creation
|
Execution of the new malicious program Enterprise
|
T1046
||
web service discovery
|
Network scanning, searching for open ports, service tables, techniques and tactics used by OceanLotus RemyRAT
Through the implementation of RemyRAT's TTP capability, we can conclude that the attacker may have the following intentions:
The attacker can further deliver malicious programs to the victim host. In this incident, the victim was a researcher of a key national unit, and APT32 organized or targeted delivery of stealing programs to obtain key research materials and technical achievements, resulting in irreparable strategic losses.
Through further analysis, it was found that a core manufacturing company was also attacked. The attackers may have stolen production materials, design drawings and other confidential information related to industrial production, resulting in the leakage of core technology of my country's industrial manufacturing industry.
Attackers can initiate network scans through compromised hosts to determine the network environment and asset distribution.
Attackers can deliver vulnerability sniffing programs through the detected network topology to compromise more intranet devices.
Introduction to APT32 Organization
The APT32 organization, or OceanLotus, OceanLotus, SeaLotus, Cobalt
Kitty, APT-C-00, is an attack organization active in Vietnam. The organization was first discovered in 2015 and has been active since 2017. It is generally believed that the main targets of the OceanLotus organization are government and enterprise personnel in Vietnam and neighboring countries. The main purpose is to steal government and commercial intelligence. China is one of the main attack countries of the organization.
All indications show that OceanLotus is an efficient organization with multi-person division of labor and cooperation. The organization constantly updates and improves its own attack chain, and constantly develops new attack methods and tools. Currently, the ATT&CK attack matrix shows that OceanLotus uses more than 10 attack tools and more than 50 attack techniques.
OceanLotus has used Cobalt Strike to move laterally after breaching its borders and establishing a foothold in the intranet. And use Cobalt
Strike to scan various vulnerabilities and configuration problems in the intranet, and use the scanning results to further control other hosts. Ultimately, various materials including business secrets, confidential conversation logs and schedules are stolen, seriously threatening the network security of manufacturing, media, banks, hotels and infrastructure.
In terms of backdoor implantation, OceanLotus has mature and self-developed backdoors, such as DenisRAT, RemyRAT, and SplinterRAT. These backdoors are fully functional and once implanted, attackers can take full control of compromised hosts.
RemyRAT was discovered in this critical emergency incident. As a proprietary tool of the OceanLotus organization, it has been repeatedly used for backdoor implantation to complete functions such as download execution, file operation, and port scanning.
Qualitative attack event
Observe the interaction between the victim's IP and C&C through traffic restoration technology, and find that there are single-byte transmissions, similar communication protocols, fixed-length heartbeats, and consistent online interactions. According to the comparison, this traffic is characterized as generated by the OceanLotus remote control tool RemyRAT.
Attribution by - Handshake Interaction
The controlled end sends 02, and the control end feeds back 03. The handshake method is exactly the same as that of RemyRAT.
Figure
RemyRAT and C&C handshake process
Attribution Basis - Agreement Formation
On the premise that the interactive traffic has a single-byte interactive feature, we also observed that its information composition has the following format:
Figure
RemyRAT online information structure in emergency events
Figure
Fuying Lab OceanLotus replay RemyRAT online information structure
From the above, it can be seen that the traffic characteristics are the same. That is:
stream_size(4 bytes) + decompressed_data_size(4 bytes) +
compressed_data_size(4 byets) + compressed_data(depends on
compressed_data_size)
Attribution by - Fixed Heartbeat
There is a fixed length and content heartbeat interaction between the victim and C&C. The length of the heartbeat is 8 bytes, and the content is all 00.
Figure RemyRAT sends constant heartbeat information
Attribution by - Live Interaction
The victim will send a 4-byte length, which represents the length of the stream to be sent, and the next stream will carry the online information.
Figure
RemyRAT pre-launch interaction
To sum up, according to the consistency of handshake interaction, protocol composition, fixed heartbeat, and online interaction features, we judge this traffic to be generated by RemyRAT.
Judgment summary
APT32 OceanLotus, as a top hacker group supported by the state, has frequently attacked various targets in Southeast Asia since 2019, and its subsequent attacks on China have expanded to almost all important institutions, including government departments and research institutes , domestic universities, maritime agencies, sea area construction, shipping companies and financial investment institutions. After research and analysis, the OceanLotus organization has various attack methods and complex attack chains, but the core attack techniques and final Trojan horse loads used are relatively fixed. In addition, the OceanLotus organization will actively try to use various popular vulnerabilities and attack techniques, but most of them have not reached a scale, and only the most stable and a small number of attack chains have achieved persistence. Therefore, harpoon attacks, social engineering attacks, and watering hole attacks are still the most mature and effective initial intrusion methods of the OceanLotus organization. NSFOCUS found out in several emergency incidents in key units and core manufacturing industries in 2022 that the targets of the OceanLotus gang gradually tilted towards scientific research institutions, vehicle manufacturing and many high-tech enterprises. Its attack intention gradually rises from occupation and monitoring to core technology acquisition. Therefore, for a period of time in the future, scientific research institutions and enterprises with independent technologies may become their targets, and precautions should be strengthened to avoid irreparable strategic losses.
Achieved persistence. Therefore, harpoon attacks, social engineering attacks, and watering hole attacks are still the most mature and effective initial intrusion methods of the OceanLotus organization. NSFOCUS found out in many emergency incidents in key units and core manufacturing industries in 2022 that the targets of the OceanLotus gang gradually tilted towards scientific research institutions, vehicle manufacturing and many high-tech enterprises. Its attack intention gradually rises from occupation and monitoring to core technology acquisition. Therefore, for a period of time in the future, scientific research institutions and enterprises with independent technologies may become their targets, and precautions should be strengthened to avoid irreparable strategic losses.
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: