Vietnam’s Top Hacking Group Uses Sloppy Code

Uploaded on 2019-07-16 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Vietnam’s top hacking group’s use of remote access tools has remained largely undetected for years. This is despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published by BlackBerry Cylance.

The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. 

The use of the newfound remote access Trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBerry Cylance’s new analysis explains how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organisation.

There is “sloppy code and programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research for Europe, the Middle East, and Asia. The RAT developers used a “convoluted” and unnecessarily complex way of supplying the malware with the configuration file path.

“Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware,” BlackBerry Cylance said.

One possible explanation for the discrepancy between this malware and previous OceanLotus samples is that it didn’t develop the tools it’s using in this campaign, Bonner told reorters form CyberScoop. It is unclear what organisations OceanLotus deployed Ratsnif against, or if the activity resulted in successful breaches.

“The best theory we can come up with is that the group may not have had access to the source code to make the necessary modifications, which might be in-line with the tool being developed by another team,” Bonner said.

The RATs, which were pieced together from open-source code, still give the hackers a “veritable Swiss Army knife of network attack techniques,” BlackBerry Cylance said, including the ability to intercept network traffic, spoof domain name system data, and inject malicious code into HTTP headers.

Under development since 2016, three out of four of the Trojans are just being revealed now, perhaps due their limited use by OceanLotus. The evolution of the RATs shows how the hackers were able to get more out of them over time. For example, a 2018 variant of Ratnsif, which was first highlighted by cybersecurity company Macnica Networks in April, is capable of harvesting sensitive target information from networks, minimising the amount of data the attackers had to collect.

OceanLotus was active in February and March, according to research, targeting multinational automotive companies in an apparent bid to support the Vietnam’s auto industry. 

As one malware expert wrote at the time, “They keep coming up with different techniques and even reuse and readapt publicly available exploit code.”

Cyberscoop:    Backberry Cylance:

You Might Also Read:

Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack:

 

 

« India & Japan In Cyber Security Pact
Croatian Government Targeted By Mystery Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

HackCon Norway

HackCon Norway

HackCon is for the people who are interested in technology, psychology, IT and security, and who wants to improve their knowledge within these areas.

ESTsecurity

ESTsecurity

ESTsecurity is a leading company in cyber security providing intelligent security solutions to make world more secure.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Swiss CyberSecurity

Swiss CyberSecurity

Swiss CyberSecurity is a non-profit group based in Geneva, set up to provide information and as a forum for discussion of topics related to CyberSecurity.

SKKU Security Lab (seclab)

SKKU Security Lab (seclab)

SKKU Security Lab supports research and education in information security engineering. The lab is a part of the College of Software, Sungkyunkwan University.

Department of Justice & Equality - Cybercrime Division

Department of Justice & Equality - Cybercrime Division

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Finnish Security & Intelligence Service (SUPO)

Finnish Security & Intelligence Service (SUPO)

The Finnish Security and Intelligence Service is a government agency tasked with combating serious threats to national security in Finland.

SubRosa Cyber Solutions

SubRosa Cyber Solutions

SubRosa Cyber Solutions solves its clients’ most tenacious information security, risk and compliance challenges through a multitude of information technology services and expertise.

Flat6Labs

Flat6Labs

Flat6Labs is the MENA region’s leading seed and early stage venture capital firm, currently running the most renowned startup programs in the region.

Legit Security

Legit Security

Legit Security's mission is to secure every organization's software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases.

SMARTEST

SMARTEST

SMARTEST is a world-class IT solutions provider active in the most challenging and demanding industries such as the oil and gas industries.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

Illustria

Illustria

Illustria is your agent-less “watchdog” for all open source libraries. Our mission is becoming a dev-velocity company, enabled via cyber security.

Neya Systems

Neya Systems

Neya Systems, a leader in advanced off-road autonomy and high-level multi-robot mission planning, provides innovative solutions for uncrewed ground, aerial, and surface vehicles.