The OceanLotus gang of state-sponsored hackers is now deploying backdoors to hacked computers via the web archive file format (.MHT and .MHTML). The objective is to avoid being detected by antivirus software, which is more likely to detect widely exploited document types and prevent the victim from opening them in Microsoft Office.
The hackers, also known as APT32 and SeaLotus, have a history of experimenting with less typical malware distribution tactics. Even though the command-and-control (C2) server was disabled, OceanLotus’ campaign employing web archive files is still operating, according to a study from Netskope Threat Labs.
The attack chain begins with a RAR compression of an extensive online archive file containing a malicious Word document that is 35-65MB in size. To get through Microsoft Office’s security, the actors change the ZoneID property in the file’s metadata to “2,” making it look as though it came from a reliable source.
When the victim opens the web archive file in Microsoft Word, the infected document prompts them to “Enable Content,” allowing malicious VBA macro code to be executed. Following the execution of the payload, the VBA code deletes the actual Word file and opens the decoy document, which displays a false error to the victim.
The payload is a 64-bit DLL that runs every 10 minutes owing to a scheduled process that pretends to be a WinRAR update check. According to Netskope’s technical report, the backdoor is injected into the rundll32.exe process, which runs endlessly in system memory to avoid detection.
The malware gathers information about network adapters, machine names, usernames, and enumerates system folders and files, and checks the list of current processes. The backdoor combines everything into a single package and encrypts the material before sending it to the C2 server after the basic data has been acquired.
Glitch, a cloud hosting and online development collaboration service that is regularly misused for malevolent objectives, hosts this server. The actors limit their chances of being caught even when network traffic monitoring techniques are used by employing a reputable cloud hosting provider for C2 communication.
Although Glitch has taken down the C2 URLs detected and reported by Netskope researchers, it’s doubtful that APT32 would not create new ones using different identities. This GitHub repository contains a detailed list of the signs of compromise from this campaign.