OceanLotus Uses Web Archive File Format to Deliver Malware

The use of web archive file format

• The attack begins with a RAR compression of a 35–65 MB web archive file laden with a malicious Word document.
• To bypass the protection of Microsoft Office, the attackers have set the ZoneID property in the file's metadata to 2, portraying it as if it was downloaded from a legitimate source.
• Opening the web archive file with the infected Word document asks the victim to Enable Content, which eventually opens the way to running malicious VBA macro code.
• After the payload is executed, the macro code carries out multiple tasks and deletes the original Word file, leading to the decoy document that triggers a fake error pop-up.

Diving deep into the operation

• The backdoor is injected into the rundll32[.]exe running indefinitely inside system memory to avoid detection.
• The malware collects different information, such as network adapter, a list of system directories and files, username, computer name, and checks the list of running processes.
• Once the data is gathered, the backdoor adds and encrypts everything inside a single package before being sent to the C2 server.
• The C2 server is hosted on a cloud hosting and web development collaboration service, known as Glitch.

Conclusion