New Ratsnif trojan variant emerges in new wave of attacks by OceanLotus APT group

• OceanLotus is believed to be a Vietnam-linked cyberespionage group that targets organizations across multiple sectors.
• The packet sniffing feature of Ratsnif trojan focuses on extracting login credentials and other sensitive data via protocol parsing.

OceanLotus APT group, also known as APT32, SeaLotus, and CobaltKitty, has been found using a variant of a lesser-known remote access trojan Ratsnif to perform network attacks. OceanLotus is believed to be a Vietnam-linked cyberespionage group and targets organizations across multiple sectors.

What’s the matter?

Cylance Threat Research Team has detected four distinct samples of Ratsnif trojan, three of which were developed in 2016. The fourth sample was created in the second half of 2018 and includes significant modifications when compared to the previous versions.

The analysis reveals the fourth version of Ratsnif includes several features to launch attack against an organization’s network such as:

• Packet sniffing
• ARP poisoning
• DNS spoofing
• HTTP redirection
• Mac spoofing
• Remote shell

The packet sniffing feature of Ratsnif trojan focuses on extracting login credentials and other sensitive data via protocol parsing.

How does Ratsnif operate?

Once installed on the target machine, Ratsnif creates a run once mutex named ‘oneinstance’. This initializes Winsock version 2.2 and allows the trojan to harvest system information such as username, computer name, workstation configuration (via NetWkstaGetInfo API), Windows system directory and network adapter information. The information is then sent to the attacker’s C2 server via an HTTP post.

How is the fourth variant different from other samples?

Cylance Threat Research Team noted that this particular sample of Ratsnif trojan comes wrapped in two layers of shellcode. Unlike the previous variants, it does not rely on C2 servers for operations.

“The loader DLL decodes the payload, copies it to memory and executes the 1st stage shellcode, which will decompress the binary and execute the 2nd stage shellcode in a separate thread. The 2nd stage shellcode will inject the sniffer executable into memory and hook several API functions responsible for returning the process command line, so they return a hardcoded string instead,” wrote the researchers in a blog post.

Another difference between 2016 variants and the 2018 one is that the former samples stored all packets to a PCAP file. However, the latter uses multiple sniffing methods to collect sensitive information from packets.