OceanLotus, a national hacker group, was found to be using web archive file formats (.MHT and .MHTML) to introduce backdoors into compromised systems.
Netskope Threat Labs is currently tracking a malicious attack that uses Web Page Archive files (“.mht” or “.mhtml”) to deliver infected documents and eventually deploy a backdoor that uses Glitch for C2 communication.
This attack is effective because Microsoft Word can open documents in “.mht” format even if they use the “.doc” extension.
Its purpose is to evade detection by anti-virus solution tools that prevent victims from opening malicious document files in Microsoft Office.
It has also been found that this hacker, tracked as APT32 and SeaLotus, has a tendency to try uncommon methods to deploy malware in the past.
A report shared by Netskope Threat Labs points out that attacks using OceanLotus web archive files are still effective despite their narrow target range and the destruction of command and control (C2) servers.
From trusted RARs to Word macros
The attack starts with RAR compression of a large 35-65MB web archive file containing a malicious Word document
To bypass Microsoft Office protections, the attacker sets the ZoneID property in the file’s metadata to “2” to make it appear as if it was downloaded from a trusted source.
When the web archive file is opened in Microsoft Word, the infected document prompts the victim to “enable content” and executes a malicious VBA macro code.
This script will perform the following tasks on an infected machine.
- Copy the payload to “C:guest.bmp
- Create and display a decoy document “Document.doc
- Rename the payload from “guest.bmp” to “background.dll
- Run the dll by calling the “SaveProfile” or “OpenProfile” export function
- After the payload is executed, the VBA code deletes the original Word file and opens a decoy document that provides a fake error to the victim
Backdoor uses Glitch hosting service
The payload is a 64-bit DLL that is executed every 10 minutes by a scheduled task masquerading as a WinRAR update check.
The backdoor is injected into the rundll32.exe process, which runs indefinitely in system memory to evade detection, Netskope noted in a technical report.
The malware collects network adapter information, computer names, user names, enumerates system directories and files, and checks the list of running processes.
Once these basic data are collected, the backdoor combines them all into a single package, encrypts the contents, and then sends them to the C2 server.
This server is hosted at Glitch, a collaborative cloud hosting and web development service that is frequently exploited for malicious purposes.
By using a legitimate cloud hosting service for C2 communication, we further reduce the chance of detection even with network traffic monitoring tools in place.
Glitch has removed the C2 URLs identified and reported by the Netskope researchers, but this is not expected to stop APT32 from creating new C2 URLs using other accounts.
For a complete list of indicators of compromise (IOCs) for this attack, check this GitHub repository.
Comments