OceanLotus threat actor group uses a new custom downloader ‘KerrDown’
- The ongoing campaign targets either citizens of Vietnam or individuals who speak the Vietnamese language.
- Two methods were used to deliver the ‘KerrDown’ downloader to the victims - MS Office doc with malicious macro and RAR archive which contains a legitimate program with DLL side-loading.
Researchers recently spotted a custom downloader ‘KerrDown’ which is used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon.
OceanLotus was responsible for multiple attack campaigns against private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam. While OceanLotus’ targets are global, researchers observed that the group’s operations are mostly active within the APAC region.
Researchers from Palo Alto Networks noted that an ongoing campaign using KerrDown downloader targets either citizens of Vietnam or individuals who speak the Vietnamese language.
OceanLotus working pattern
The researchers observed a high number of samples of the ‘KerrDown’ DLL downloader which was enough to confirm that the threat actor group operated during standard Vietnamese working hours 9 am to 6 pm.
Palo Alto Networks researchers also observed that all the samples were compiled during the weekdays between Monday to Friday, which indicated that the OceanLotus works during weekdays and takes a break during the weekends.
Two methods to deliver KerrDown
Researchers noted two methods to deliver the KerrDown downloader to their targets.
- One method uses the Microsoft Office Document with a malicious macro, and
- The other method leverages the RAR archive which contains a legitimate program with DLL side-loading.
However, both the methods use phishing emails to deliver the malicious MS Office attachments/RAR archive attachments. Furthermore, the phishing emails' content and filenames are written in Vietnamese.
KerrDown is leveraged to download Cobalt Strike Beacon
Researchers disclosed that during their analysis and investigation, link to the final payload of KerrDown was active, therefore, they were able to download a copy. The researchers then identified that the copy of the KerrDown payload turned out to be a variant of Cobalt Strike Beacon.
“As we can see in this case, the purpose of the malware is to download and execute the Cobalt Strike Beacon payload in memory. Though Cobalt Strike is a commercial penetration testing tool, various threat actors are known to have used it in their campaigns,” Researchers from Palo Alto Networks wrote in a blog