2021-OceanLotus-workshop icon indicating copy to clipboard operation
2021-OceanLotus-workshop copied to clipboard

Published 20 hours ago verified publisher icon OTRF

Research Ocean Lotus

Open plugxor opened this issue 4 years ago • 4 comments

Research Ocean Lotus for the emulation plan

Each member research the Ocean Lotus group over this next week (09FEB-13FEB). Add comments and links to the favorite reports on this issue when it meets the following criteria.

Interesting, unique, group-specific techniques leveraged Quality vendor reputation if attributed - description of how attribution was made Clear analysis of malware and how it's used in the environment Operating systems targeted automated vs. manually entered commands

plugxor avatar Feb 06 '21 19:02 plugxor

Review current stack of work

https://docs.google.com/document/d/1ZEUiHeWYHSwhHZY6K0dqU6-_TFVHcOWOnU5JHYWki24/edit#heading=h.menntqnhxg3x

cat-alyst avatar Feb 06 '21 19:02 cat-alyst

Goal:

  • Next meeting (13Feb21) be able to contribute to build a scenario based off research

Stretch Goal:

  • What company to emulate
  • Ocean Lotus infrastructure domain list
  • Infrastructure systems we need in the environment

cat-alyst avatar Feb 06 '21 19:02 cat-alyst

Initial Infection November 2020 https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
Steganography Usage April 2019 https://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/
Windows - discusses how they change as IOCs are published March 2019 https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
Awesome report with a list of tools 2017 https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part2.pdf

Key Behaviors

  • Self extracting archives to run code using misleading icons or unicode
  • DLL side loading
  • Fake timestamps -> concerted effort
  • Targets English, 中文, and Cambodian
  • Filenames randomly generated
  • In-memory operations
  • Automated clean up in decoy
  • Large number of payloads used

cat-alyst avatar Feb 06 '21 20:02 cat-alyst

Goal Discussion from 13FEB21 meeting - build out read me, define scope, continue research, submit public release for companies, and continue scenario. Approve of Cat's idea regarding human right activist company.

Stretch Goal

  • [x] What company to emulate
  • [x] Ocean Lotus infrastructure domain list - in report - https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/

Still todo

  • [ ] Infrastructure systems we need in the environment

Decided to emulate a human rights organization, which is in alignment with the victimology of Ocean Lotus.

cat-alyst avatar Feb 20 '21 18:02 cat-alyst