OceanLotus: From external espionage to domestic targeting

What Happened

A cyber espionage group known as OceanLotus has been targeting individuals and organizations within Vietnam, including stock investors and a large construction company. The attackers compromised the update system of a popular stock trading app called FireAnt MetaKit to secretly install malicious software on users' computers. This allows the attackers to monitor the infected systems and potentially steal sensitive information. Organizations should ensure their software update mechanisms are secure and monitor for unusual network traffic or unauthorized programs running on their computers.

Key Takeaways

• OceanLotus (APT32) has shifted its operational focus toward domestic espionage in Vietnam, targeting stock investors and a construction corporation.
• A supply-chain attack compromised the FireAnt MetaKit stock investment platform's update server to deliver the SPECTRALVIPER backdoor.
• The attackers heavily utilized DLL side-loading, masquerading malicious loaders alongside renamed legitimate executables (e.g., IntelAudioService.exe, Genuine.exe).
• SPECTRALVIPER exfiltrates encrypted host profiling data via HTTP Cookie headers using prefixes like 'euconsent-v2=' or 'zd_cs_pm='.
• The SPECTRALVIPER backdoor features orchestration capabilities, utilizing named pipes for lateral movement and command distribution.

Affected Systems

• Windows
• FireAnt MetaKit
• Microsoft SQL Server

Attack Chain

The attack begins with initial access either through a compromised software supply chain (FireAnt MetaKit) or suspected exploitation of public-facing Microsoft SQL servers. In the supply-chain scenario, a malicious downloader is retrieved via an unencrypted, unvalidated update mechanism. This downloader fetches a next-stage payload, which initiates a DLL side-loading chain using renamed legitimate executables (e.g., IntelAudioService.exe) to load the SPECTRALVIPER loader (DtlCrashCatch.dll). The loader injects the SPECTRALVIPER backdoor into a legitimate process like OneDrive.Sync.Service.exe, establishing encrypted C2 communication via HTTPS and enabling lateral movement through named pipe orchestration.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but it does offer a comprehensive list of IOCs and behavioral indicators on the ESET GitHub repository.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should have high visibility into process injection (e.g., into OneDrive.Sync.Service.exe), DLL side-loading events, and unusual child processes spawned by update mechanisms. Network Visibility: Medium — While C2 traffic is encrypted via HTTPS, network monitoring can detect beacons to known malicious domains or identify anomalous HTTP Cookie headers (euconsent-v2=, zd_cs_pm=) if SSL inspection is enabled. Detection Difficulty: Moderate — The use of legitimate, signed executables for DLL side-loading and process injection into common applications like OneDrive makes detection challenging without behavioral analytics.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Image Loaded (Sysmon Event ID 7)
• Network Connection (Sysmon Event ID 3)
• Process Access (Sysmon Event ID 10)

Hunting Hypotheses

Control Gaps

• Lack of integrity validation in software update mechanisms
• Absence of SSL/TLS encryption for software updates

Key Behavioral Indicators

• Execution of renamed legitimate binaries with specific flags (-uiDll)
• Process injection into OneDrive.Sync.Service.exe
• Anomalous HTTP Cookie headers used for data exfiltration

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified C2 domains and IP addresses at the network perimeter.
• If applicable, search endpoint telemetry for the presence of the identified malicious file hashes and filenames (e.g., DtlCrashCatch.dll).

Infrastructure Hardening

• Evaluate whether software update mechanisms in use across the environment enforce strict integrity validation (e.g., digital signature verification) and utilize encrypted channels (HTTPS).
• Consider implementing application control or AppLocker to restrict the execution of unapproved binaries, mitigating the risk of DLL side-loading.

User Protection

• If your EDR supports it, ensure behavioral rules are enabled to detect process injection and anomalous child processes spawned by common applications.

Security Awareness

• Consider educating users, particularly those involved in financial or stock trading activities, about the risks of supply-chain attacks and the importance of verifying software sources.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter
• T1204 - User Execution
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1055 - Process Injection
• T1036 - Masquerading
• T1027 - Obfuscated Files or Information
• T1553.002 - Subvert Trust Controls: Code Signing
• T1082 - System Information Discovery
• T1570 - Lateral Tool Transfer
• T1021 - Remote Services
• T1071.001 - Application Layer Protocol: Web Protocols
• T1573 - Encrypted Channel
• T1105 - Ingress Tool Transfer
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Ips:
  • 139[.]180[.]128[[.]]42 - SPECTRALVIPER C2 server.
  • 139[.]99[.]33[[.]]239 - SPECTRALVIPER C2 server.
  • 166[.]88[.]77[[.]]186 - SPECTRALVIPER C2 server.
  • 103[.]119[.]47[[.]]104 - SPECTRALVIPER C2 server.
  • 38[.]60[.]245[[.]]37 - SPECTRALVIPER C2 server.
  • 194[.]68[.]26[[.]]241 - SPECTRALVIPER C2 server.
• Domains:
  • coachcybersecurity[[.]]com - SPECTRALVIPER C2 server.
  • mxprodesign[[.]]com - SPECTRALVIPER C2 server.
  • power-sync-services[[.]]com - SPECTRALVIPER C2 server.
• Urls:
  • hxxp://metakit[.]fireant[.]vn/Software/version.xml - Compromised update configuration file lacking integrity validation.
  • hxxps://142[.]91[.]98[.]77/V1/Update/GetUpdate - API endpoint used by the downloader to request the next-stage payload.
  • hxxps://leadingfilipinoteams[.]com/yak/trains/evalue.html - SPECTRALVIPER beacon URL.
• File Hashes:
  • 511B77459673EC42163F19E300FF1D233B6C39FB (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 59A8553A4F8130F576AB234E0B220BE4D4DA0E98 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • A8E2BBBFCB86500322D2367744FA12755AB0C165 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • F74F1FEB62B662CDA489FDB2453727824E55ACB9 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • F8F8209987CA7F139DE6A62F9E6EE21BD2AE93A9 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 19A69F856EFA811C376F68E4FEB0997B4724F8BD (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 490194E9BB5128ECA8693AD9E610891C2ED185AF (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 51176139B0B2220B802C1578A4994DF68DF5BCD1 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 91F042F59BE4BDCB6E5EA21B91DECD731C175B54 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • A177ED0BFFEB1EFE1D9D31D72A82EF2625AE646D (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • B7B2D2DB544F9EEA74453CDF2B8BEEA58CF07C48 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 4AD36AD6C165B5174967020CB1A3358F78D7A283 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 57352B3CEEE32216E5AA20BAA848483D7AB5A6FB (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 9BC06DF9F932746A05EE728C8B103BD3BA6BF395 (sha1) - setup.exe - SPECTRALVIPER downloader delivered from FireAnt update server.
  • 865A1739337D3303B3AB02C5E694C22B79C42B7D (sha1) - system.config.xml - SPECTRALVIPER backdoor.
  • B0FEA981D02F6F76DE81EBAEFCB68B7D205D6194 (sha1) - NotificationConfig.json - SPECTRALVIPER backdoor.
  • 48FEBB91A10D1462461A012FAFC0918BB028E947 (sha1) - DtlCrashCatch.dll - SPECTRALVIPER backdoor.
  • 150764A71DEEF498DE6F8C95ECCCB4455C1B601F (sha1) - SetupUi.dll - SPECTRALVIPER backdoor.
• Command Lines:
  • Purpose: Execution of the masqueraded legitimate executable to trigger DLL side-loading of the SPECTRALVIPER loader. | Tools: IntelAudioService.exe | Stage: Execution / Persistence | IntelAudioService.exe /appmodel /StateRepository /Service
  • Purpose: Execution of a renamed legitimate executable (Toolbox.exe variant) to trigger DLL side-loading. | Tools: Genuine.exe | Stage: Execution / Persistence | Genuine.exe -uiDll
  • Purpose: Execution of a renamed legitimate executable (Toolbox.exe variant) to trigger DLL side-loading. | Tools: Updater.exe | Stage: Execution / Persistence | Updater.exe -uiDll
  • Purpose: Execution of a renamed legitimate executable (Toolbox.exe variant) to trigger DLL side-loading. | Tools: AutoCAD242.exe | Stage: Execution / Persistence | AutoCAD242.exe -uiDll