APT-C-00 OceanLotus Utilizes Advanced Dual Loader with VMP Protections

Introduction

On September 23, 2024, the Advanced Threat Research Institute’s 360 Threat Intelligence Center released a detailed analysis on APT-C-00, also known as OceanLotus, a notorious advanced persistent threat (APT) group with suspected state backing. This new report highlights their recent shift in tactics, specifically their use of a modified dual backdoor loader, enhanced by VMProtect software, to better evade detection and analysis.

Report Overview

APT-C-00, commonly known as OceanLotus, has been actively targeting high-value individuals and organizations since its exposure in 2015. The group has consistently evolved its techniques to stay ahead of detection efforts, often utilizing novel methods to protect its malware from being analyzed. In 2024, during threat-hunting efforts, 360 researchers captured a new cyberattack aimed at high-profile targets, identifying modifications to a dual backdoor loader used by OceanLotus over the past two and a half years. The most notable addition was the use of VMProtect to obscure the loader’s functionality.

Technical Analysis: Dual Backdoor Loader

Module 1: MSVC DLL with Host Information Collection

The first module of the loader is a dynamic link library (DLL) file, compiled using Microsoft Visual C++ (MSVC). The workflow of this module begins by gathering basic system information, such as the hostname and disk details, and storing this information in the %Temp%\NVidiaSetup\kd8812u directory. This collected data is later used by the attacker, though the exact purpose of this information remains unclear at this stage.

The module proceeds to load a second DLL containing an encrypted payload. This payload is decrypted using a key passed along with the DLL's module handle, obscuring the nature of the attack and complicating static and dynamic analysis.

Module 2: GoLang-Based Component with Screen Capture Capabilities

The second module, written in Go, operates in a similar manner but incorporates additional open-source tools for data collection. Using the gopsutil project, the module collects system information, while the screenshot project captures a snapshot of the user’s screen. This data is then stored alongside the other collected host details.

The malicious payload is encrypted with the RC4 algorithm and delivered through this module, using a Base64-encoded resource. Upon decryption, the second payload—a reflective loading of the CobaltStrike Beacon—is executed, establishing a command-and-control (C2) connection with the server at strengthening-memories-reports-restoration.trycloudflare.com:443.

VMP Loader: Strengthening Evasion

During daily threat hunting, the researchers also discovered a variant of the dual loader protected by VMProtect, an advanced tool used to obfuscate executable code and prevent reverse engineering. This variant leverages VMProtect’s code virtualization to mask critical portions of the loader, making it difficult for security analysts to identify the exact behavior of the payload.

Both modules in the VMP-protected loader demonstrate enhanced resilience to analysis. By comparing portions of the shell-less and VMP-protected versions, researchers were able to identify the differences in how the malicious payload is decrypted and executed. The CobaltStrike Beacon used in this variant connects to a different C2 server at 64.176.58.16:80, further complicating attribution and defense efforts.

Insights and Analysis

The use of VMProtect to obfuscate OceanLotus’ loader represents a significant escalation in the group’s capability to evade detection. Security teams face increased difficulty in analyzing malware protected by VMProtect, as the cost and time required to reverse-engineer the code rises substantially. Furthermore, OceanLotus’ continued use of false-flag operations—where it mimics the tactics of other known APT groups—further complicates attribution efforts.

To mitigate the risks posed by this advanced threat, organizations are encouraged to implement the following measures:

1. Strengthen Endpoint Detection and Response (EDR): Enhanced monitoring of host-based anomalies, such as unusual directory creation or DLL loads, can help detect early stages of the attack.
2. Network Traffic Analysis: Monitoring for suspicious outbound connections to known C2 servers like strengthening-memories-reports-restoration.trycloudflare.com and 64.176.58.16 can reveal compromised hosts.
3. File Integrity Monitoring: Tracking unauthorized changes to system files and directories like %Temp% can alert security teams to suspicious behavior.
4. Threat Intelligence Integration: Leverage up-to-date threat intelligence to block known IOCs associated with APT-C-00.

APT-C-00, or OceanLotus, remains one of the most persistent and sophisticated APT groups in operation today. Their use of VMProtect to enhance the capabilities of their dual backdoor loader highlights the growing challenge that security professionals face in detecting and analyzing modern threats. As these groups continue to evolve, it is crucial for organizations to stay vigilant and proactive in their defence strategies.

Indicators of Compromise (IOC)

MITRE ATT&CK Table

References

https://mp-weixin-qq-com.translate.goog/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247500701&idx=1&sn=7f4644119574e433a29d215a70658f6b&chksm=f9c1f094ceb67982f950b7569be3d9f5ff176d741f1bef4ea2e4fc412305a4dd04bdc7b869fb&scene=178&cur_album_id=1955835290309230595&_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#rd