Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research Ocean Lotus #3

Open
plugxor opened this issue Feb 6, 2021 · 4 comments
Open

Research Ocean Lotus #3

plugxor opened this issue Feb 6, 2021 · 4 comments

Comments

@plugxor
Copy link
Collaborator

plugxor commented Feb 6, 2021
edited by cat-alyst
Loading

Research Ocean Lotus for the emulation plan

Each member research the Ocean Lotus group over this next week (09FEB-13FEB). Add comments and links to the favorite reports on this issue when it meets the following criteria.

Interesting, unique, group-specific techniques leveraged
Quality vendor reputation
if attributed - description of how attribution was made
Clear analysis of malware and how it's used in the environment
Operating systems targeted
automated vs. manually entered commands
@cat-alyst
Copy link
Collaborator

Review current stack of work

https://docs.google.com/document/d/1ZEUiHeWYHSwhHZY6K0dqU6-_TFVHcOWOnU5JHYWki24/edit#heading=h.menntqnhxg3x

@cat-alyst
Copy link
Collaborator

Goal:

  • Next meeting (13Feb21) be able to contribute to build a scenario based off research

Stretch Goal:

  • What company to emulate
  • Ocean Lotus infrastructure domain list
  • Infrastructure systems we need in the environment

@cat-alyst
Copy link
Collaborator

cat-alyst commented Feb 6, 2021
edited
Loading

Initial Infection November 2020 https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Steganography Usage April 2019 https://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/
Windows - discusses how they change as IOCs are published March 2019 https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
Awesome report with a list of tools 2017 https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part2.pdf

Key Behaviors

  • Self extracting archives to run code using misleading icons or unicode
  • DLL side loading
  • Fake timestamps -> concerted effort
  • Targets English, 中文, and Cambodian
  • Filenames randomly generated
  • In-memory operations
  • Automated clean up in decoy
  • Large number of payloads used

@cat-alyst
Copy link
Collaborator

Goal
Discussion from 13FEB21 meeting - build out read me, define scope, continue research, submit public release for companies, and continue scenario. Approve of Cat's idea regarding human right activist company.

Stretch Goal

Still todo

  • Infrastructure systems we need in the environment

Decided to emulate a human rights organization, which is in alignment with the victimology of Ocean Lotus.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plugxor @cat-alyst