Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.
While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.
Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.
New Infrastructure Unveils a Familiar Tactic
Passive DNS analysis of the more than 70 IP addresses linked to the unique OceanLotus SSL certificate surfaced hundreds of hosts and domains previously associated with OceanLotus malware, Command and Control infrastructure, and open-source reporting. RiskIQ also uncovered a significant amount of infrastructure related to these IP addresses that has not been publicly disclosed, which further analysis confirmed belongs to OceanLotus.
Analysis of filenames associated with the malware connected to this new infrastructure shows OceanLotus operatives using word documents embedded with malicious executables with lures focused on the 2020 Association of Southeast Asain Nations (ASEAN) conference, Engineering CVs, and Vietnamese language news articles. These tactics are consistent with previously reported OceanLotus campaigns.
A Powerful Pivot
Leveraging RiskIQ's data sets, we could instantly expand the OceanLotus infrastructure by more than 70 IP addresses. This one pivot illuminated 365 domains with OceanLotus activity, and cross-referencing these domains uncovered nameservers present in the WHOIS data that helped confirm they belonged to OceanLotus.
Visit the RiskIQ Threat Intelligence portal to see a full list of the domains and IP addresses mentioned above. You can also view the file hashes linked to OceanLotus activity there. However, the list is not complete and does not include APT 32's operations that have more recently employed Cobalt Strike to establish an initial foothold in victim environments. Relevant subdomains and resolutions are available to RiskIQ customers in our enterprise indicators tab.
Finding OceanLotus in the Internet Intelligence Graph
Web pages are made up of many different remote resources that get assembled to form a cohesive user experience. RiskIQ collection keeps the full HTML of a web page, saving any dependent file used in its loading process, including SSL certificates. With this information, RiskIQ can link infrastructure showing the interconnectivity of different entities across the web, identifying each web asset's dependencies and pathways.
Similarities between campaigns are an observable behavior for threat analysts tracking them. Threat actors can reuse the same tactics, malware, and even infrastructure to achieve their objectives. Our Intelligence graph enabled us to act on the hunch that this OceanLotus certificate was a strong indicator of a particular server (IP Address) used by the APT group, which kicked off the investigation that ultimately uncovered a considerable swath of threat infrastructure.
It's important to bear that in mind when clustering activity sets together. Starting with the unique data sets in RiskIQ PassiveTotal, analysts can quickly enumerate infrastructure related to seemingly disparate campaigns to paint a vivid picture of the threat landscape targeting their organization. To explore the comprehensive list of IOCs, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. Sign up with a corporate email address for a free month of enterprise access.