A state-backed cybercriminal group called OceanLotus, also known as APT32, exploits the web archive file format to avoid detection from security solutions while distributing malware to intrude in target devices.
The recent report of a cybersecurity researcher claims that the state-sponsored hackers are actively utilising the web archive files [.]MHTML, and [.]MHT for its campaign. The threat actors initiate the attack with a RAR compression of a 35-65 MB web archive file attached with a compromised and malicious MS Word document.
To evade getting spotted by the protection of MS Office, the threat actors have organised the ZoneID property located in the file’s metadata to 2, displaying it as if it were downloaded by the target from a legit and reliable store.
Suppose the target opens the web archive containing the malicious MS Word document. The malware will ask the user to ‘Enable Content’ that will eventually access the way to operating the compromised VBA macro code.
When the payload is executed correctly by the unaware target, the macro code will perform several tasks and remove the original MS Word file, resulting in a malicious file that activates a phoney error notification.
The OceanLotus can extract numerous credentials if it successfully accesses its target’s system.
The OceanLotus’s backdoor with a 64-bit DLL activates with an interval of 10 minutes by utilising a scheduled task impersonating the WinRAR update check. Additionally, the malware is injected into the ‘rundll32[.]exe’ operating indefinitely inside the system memory to evade the detection of any cybersecurity solution.
The malware can collect a lot of information, such as a list of system directories, files, computer names, usernames, and reviews of active processes. Once the malware collects the data, it will attach and encrypt all of it inside a single package before redirecting it back to the hacker’s command-and-control server.
The OceanLotus group reemerges with new weaponry and successfully avoids detection from cybersecurity anti-malware tools. Moreover, the group utilises a legitimate cloud hosting service such as Glitch for communication to keep their presence unknown.
Cybersecurity experts advise organisations to leverage the provided IoCs for detecting and stopping active malicious campaigns.