Vietnam’s Top Hacking Group Uses Sloppy Code

Vietnam’s top hacking group’s use of remote access tools has remained largely undetected for years. This is despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published by BlackBerry Cylance.

The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. 

The use of the newfound remote access Trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBerry Cylance’s new analysis explains how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organisation.

There is “sloppy code and programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research for Europe, the Middle East, and Asia. The RAT developers used a “convoluted” and unnecessarily complex way of supplying the malware with the configuration file path.

“Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” BlackBerry Cylance said.

One possible explanation for the discrepancy between this malware and previous OceanLotus samples is that it didn’t develop the tools it’s using in this campaign, Bonner told reorters form CyberScoop. It is unclear what organisations OceanLotus deployed Ratsnif against, or if the activity resulted in successful breaches.

“The best theory we can come up with is that the group may not have had access to the source code to make the necessary modifications, which might be in-line with the tool being developed by another team,” Bonner said.

The RATs, which were pieced together from open-source code, still give the hackers a “veritable Swiss Army knife of network attack techniques,” BlackBerry Cylance said, including the ability to intercept network traffic, spoof domain name system data, and inject malicious code into HTTP headers.

Under development since 2016, three out of four of the Trojans are just being revealed now, perhaps due their limited use by OceanLotus. The evolution of the RATs shows how the hackers were able to get more out of them over time. For example, a 2018 variant of Ratnsif, which was first highlighted by cybersecurity company Macnica Networks in April, is capable of harvesting sensitive target information from networks, minimising the amount of data the attackers had to collect.

OceanLotus was active in February and March, according to research, targeting multinational automotive companies in an apparent bid to support the Vietnam’s auto industry. 

As one malware expert wrote at the time, “They keep coming up with different techniques and even reuse and readapt publicly available exploit code.”

Cyberscoop:    Backberry Cylance:

You Might Also Read:

Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack:

 

 

« India & Japan In Cyber Security Pact
Croatian Government Targeted By Mystery Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

National Trading Standards eCrime Team (NTSeCT)

National Trading Standards eCrime Team (NTSeCT)

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

Mobile Mentor

Mobile Mentor

Mobile Mentor is an independent provider of enterprise mobility solutions in New Zealand and Australia.

Torsion Information Security

Torsion Information Security

Torsion is an innovative information security and compliance engine, which runs either in the cloud or your data centre.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

vdiscovery

vdiscovery

vdiscovery is a provider of proprietary and best-in-breed solutions in computer forensics, document review, and electronic discovery.

Cybercrime Investigation & Coordinating Center (CICC)

Cybercrime Investigation & Coordinating Center (CICC)

The Cybercrime Investigation and Coordinating Center (CICC) is an attached agency of the Philippines Department of Information and Communications Technology (DICT).

Padlock

Padlock

Padlock is a trusted platform with an intimate knowledge of the cybersecurity industry that connects businesses with freelance professionals

German Israeli Partnership Accelerator (GIPA)

German Israeli Partnership Accelerator (GIPA)

GIPA is based on two pillars: it is an incubator aimed at young academics and a program to transfer cybersecurity expertise to corporate partners.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

Intigriti

Intigriti

Intigriti helps companies protect themselves from cybercrime. Our community of ethical hackers provides continuous, realistic security testing to protect our customer’s assets and brand.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.

Boldend

Boldend

Boldend offers leading-edge offensive and defensive cybersecurity solutions that empower government and commercial organizations to stay resilient in an evolving threat landscape.

WIIT Group

WIIT Group

WIIT Group are focused on a single goal: securing our clients’ critical processes and enabling them for digital transformation.