Vietnam’s Top Hacking Group Uses Sloppy Code

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Vietnam’s top hacking group’s use of remote access tools has remained largely undetected for years. This is despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published by BlackBerry Cylance.

The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. 

The use of the newfound remote access Trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBerry Cylance’s new analysis explains how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organisation.

There is “sloppy code and programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research for Europe, the Middle East, and Asia. The RAT developers used a “convoluted” and unnecessarily complex way of supplying the malware with the configuration file path.

“Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” BlackBerry Cylance said.

One possible explanation for the discrepancy between this malware and previous OceanLotus samples is that it didn’t develop the tools it’s using in this campaign, Bonner told reorters form CyberScoop. It is unclear what organisations OceanLotus deployed Ratsnif against, or if the activity resulted in successful breaches.

“The best theory we can come up with is that the group may not have had access to the source code to make the necessary modifications, which might be in-line with the tool being developed by another team,” Bonner said.

The RATs, which were pieced together from open-source code, still give the hackers a “veritable Swiss Army knife of network attack techniques,” BlackBerry Cylance said, including the ability to intercept network traffic, spoof domain name system data, and inject malicious code into HTTP headers.

Under development since 2016, three out of four of the Trojans are just being revealed now, perhaps due their limited use by OceanLotus. The evolution of the RATs shows how the hackers were able to get more out of them over time. For example, a 2018 variant of Ratnsif, which was first highlighted by cybersecurity company Macnica Networks in April, is capable of harvesting sensitive target information from networks, minimising the amount of data the attackers had to collect.

OceanLotus was active in February and March, according to research, targeting multinational automotive companies in an apparent bid to support the Vietnam’s auto industry. 

As one malware expert wrote at the time, “They keep coming up with different techniques and even reuse and readapt publicly available exploit code.”

Cyberscoop:    Backberry Cylance:

You Might Also Read:

Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack:

 

 

« India & Japan In Cyber Security Pact
Croatian Government Targeted By Mystery Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TitanFile

TitanFile

TitanFile is an award-winning, easy and secure way for professionals to communicate without having to worry about security and privacy.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Leibniz-Rechenzentrum (LRZ)

Leibniz-Rechenzentrum (LRZ)

The LRZ supports ground-breaking research and teaching in a wide range of scientific disciplines including information security and data protection.

Logsign

Logsign

Logsign is a Security Orchestration, Automation and Response (SOAR) platform with next-gen Security Information and Event Management (SIEM) solution.

Future of Cyber Security Europe

Future of Cyber Security Europe

Future of Cyber Security Europe is a European wide event examining the latest cyber security strategies and technologies.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Atlas VPN

Atlas VPN

Atlas VPN is a highly secure freemium VPN service with a goal to make safe and open internet accessible for everyone.

ELLIO Technology

ELLIO Technology

ELLIO Technology is a cybersecurity company that reduces alert overload, improves incident response, and helps security teams target serious attackers who pose a real threat.

Lab 1

Lab 1

Lab 1 turns criminal data breaches and attacks into insights. Get alerts of data breaches or ransomware attack incidents as they happen.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Enterprise Strategy Group

Enterprise Strategy Group

Enterprise Strategy Group, a division of TechTarget, is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.