Vietnam’s Top Hacking Group Uses Sloppy Code

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Vietnam’s top hacking group’s use of remote access tools has remained largely undetected for years. This is despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published by BlackBerry Cylance.

The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. 

The use of the newfound remote access Trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBerry Cylance’s new analysis explains how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organisation.

There is “sloppy code and programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research for Europe, the Middle East, and Asia. The RAT developers used a “convoluted” and unnecessarily complex way of supplying the malware with the configuration file path.

“Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” BlackBerry Cylance said.

One possible explanation for the discrepancy between this malware and previous OceanLotus samples is that it didn’t develop the tools it’s using in this campaign, Bonner told reorters form CyberScoop. It is unclear what organisations OceanLotus deployed Ratsnif against, or if the activity resulted in successful breaches.

“The best theory we can come up with is that the group may not have had access to the source code to make the necessary modifications, which might be in-line with the tool being developed by another team,” Bonner said.

The RATs, which were pieced together from open-source code, still give the hackers a “veritable Swiss Army knife of network attack techniques,” BlackBerry Cylance said, including the ability to intercept network traffic, spoof domain name system data, and inject malicious code into HTTP headers.

Under development since 2016, three out of four of the Trojans are just being revealed now, perhaps due their limited use by OceanLotus. The evolution of the RATs shows how the hackers were able to get more out of them over time. For example, a 2018 variant of Ratnsif, which was first highlighted by cybersecurity company Macnica Networks in April, is capable of harvesting sensitive target information from networks, minimising the amount of data the attackers had to collect.

OceanLotus was active in February and March, according to research, targeting multinational automotive companies in an apparent bid to support the Vietnam’s auto industry. 

As one malware expert wrote at the time, “They keep coming up with different techniques and even reuse and readapt publicly available exploit code.”

Cyberscoop:    Backberry Cylance:

You Might Also Read:

Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack:

 

 

« India & Japan In Cyber Security Pact
Croatian Government Targeted By Mystery Hackers »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

vArmour

vArmour

vArmour is the industry’s first distributed security system that provides insight and control for multi-cloud environments.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Caretower

Caretower

Caretower is one of Europe’s leading value added managed service provider in cyber security.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

SoSafe

SoSafe

SoSafe empowers organizations to build a security culture and mitigate risk with its GDPR-compliant awareness programs.

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory is a manufacturer of military security and data destruction equipment for sensitive, classified, and secret information.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

Glocomp Systems

Glocomp Systems

Glocomp Systems is one of Malaysia’s premier ICT infrastructure distributor offering a comprehensive portfolio of solutions including cybersecurity and privacy.

Regulativ.ai

Regulativ.ai

Regulativ.ai is an innovative and comprehensive platform, driven by AI, to address the regulatory and compliance needs of Cyber Security Regulatory compliance and reporting.

HolistiCyber

HolistiCyber

HolistiCyber provide state-of-the art consulting, services, and solutions to help proactively and holistically defend against a new era of constantly evolving cyber threats.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.

GlitchSecure

GlitchSecure

GlitchSecure helps companies secure their products and infrastructure through real-time continuous security testing.