Vietnam’s Top Hacking Group Uses Sloppy Code

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Vietnam’s top hacking group’s use of remote access tools has remained largely undetected for years. This is despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published by BlackBerry Cylance.

The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. 

The use of the newfound remote access Trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBerry Cylance’s new analysis explains how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organisation.

There is “sloppy code and programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research for Europe, the Middle East, and Asia. The RAT developers used a “convoluted” and unnecessarily complex way of supplying the malware with the configuration file path.

“Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” BlackBerry Cylance said.

One possible explanation for the discrepancy between this malware and previous OceanLotus samples is that it didn’t develop the tools it’s using in this campaign, Bonner told reorters form CyberScoop. It is unclear what organisations OceanLotus deployed Ratsnif against, or if the activity resulted in successful breaches.

“The best theory we can come up with is that the group may not have had access to the source code to make the necessary modifications, which might be in-line with the tool being developed by another team,” Bonner said.

The RATs, which were pieced together from open-source code, still give the hackers a “veritable Swiss Army knife of network attack techniques,” BlackBerry Cylance said, including the ability to intercept network traffic, spoof domain name system data, and inject malicious code into HTTP headers.

Under development since 2016, three out of four of the Trojans are just being revealed now, perhaps due their limited use by OceanLotus. The evolution of the RATs shows how the hackers were able to get more out of them over time. For example, a 2018 variant of Ratnsif, which was first highlighted by cybersecurity company Macnica Networks in April, is capable of harvesting sensitive target information from networks, minimising the amount of data the attackers had to collect.

OceanLotus was active in February and March, according to research, targeting multinational automotive companies in an apparent bid to support the Vietnam’s auto industry. 

As one malware expert wrote at the time, “They keep coming up with different techniques and even reuse and readapt publicly available exploit code.”

Cyberscoop:    Backberry Cylance:

You Might Also Read:

Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack:

 

 

« India & Japan In Cyber Security Pact
Croatian Government Targeted By Mystery Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

Ground Labs

Ground Labs

Ground Labs is a security software company dedicated to making sensitive data discovery products that help organisations prevent sensitive data loss.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

BTWorks

BTWorks

BTWorks provides identity management and anti-phishing / smishing solutions for web and mobile apps.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

Kingsley Napley

Kingsley Napley

Cyber crime is an area of growing legal complexity. Our team of cyber crime lawyers have vast experience of the law in this area.

Industrial Cybersecurity Center (CCI)

Industrial Cybersecurity Center (CCI)

CCI is the first center of its kind that comes from industry without subsidies, independent and non-profit, to promote and contribute to the improvement of Industrial Cybersecurity.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

HighPoint

HighPoint

HighPoint is a leading technology infrastructure solutions provider offering consultancy, solutions and managed services for network infrastructure and cybersecurity.

eMazzanti Technologies

eMazzanti Technologies

eMazzanti Technologies provides IT consulting services for businesses ranging from home offices to multinational corporations throughout the USA and internationally.

Reflectiz

Reflectiz

Reflectiz empowers digital businesses to make all web applications safer by non-intrusively mitigating any website risks without a single line of code.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

Armolon

Armolon

Armolon provides comprehensive data breach and cybersecurity, as well cybersecurity audits and certifications, and disaster recovery/business continuity services to clients.