A collaborative analysis by a Qianxin team examines a wave of mht/Web Archive-based attacks delivering malicious DLLs via Office macros on Glitch, noting overlaps with OceanLotus but also distinct traits. The operation uses VBA obfuscation, in-memory DLL loading via reflection, and C2 exfiltration with 7z-delivered payloads and scheduled-task persistence, raising indicators for defense and attribution uncertainty.
#OceanLotus #Glitch #KerrDown
#OceanLotus #Glitch #KerrDown
Keypoints
- The campaigns leverage mht files carrying Office macros that prompt macro execution to drop malware in RAR archives (e.g., HS.rar, Tai_lieu.rar).
- Macro code and the dropped DLLs are obfuscated; the VBA uses string assembly via Chr and mixed hex/octal/decimal constants to hide logic.
- The malware collects host information (MAC address, username, hostname, processes) and sends it to a Glitch-hosted C2 using POST requests before pulling a 7z-compressed second-stage payload.
- The dropped DLLs implement in-memory, reflective loading of PE payloads and perform remote process injection to run additional code without writing to disk.
- Persistence is achieved via scheduled tasks (named “Chrome Update”) and DLL export routines like OpenProfile/SaveProfile to sustain operation.
- There are links and behaviors associated with OceanLotus history, but several features differ, suggesting possible imitation or multiple actors.
- Early samples date back to 2021, with consistent use of Glitch-based C2 and similar obfuscation techniques, but current activity lacks public attribution.
MITRE Techniques
- [T1059.005] Visual Basic – The macro uses Visual Basic for Applications with obfuscated strings and assembly of constants via Chr and mixed numeric bases. – “VBA经过混淆处理,…通过Chr函数拼接关键字符串,以及用十六进制、八进制和十进制的混合运算得到常量数字” (‘The VBA is obfuscated…constructed using Chr and mixed hex, octal, and decimal calculations to obtain constants’).
- [T1027] Obfuscated/Compressed Files and Information – Macro code and the malicious DLL are both obfuscated. – “宏代码和恶意DLL均进行了代码混淆” (‘The macro code and the malicious DLL are both obfuscated’).
- [T1105] Ingress Tool Transfer – Downloads subsequent malware packaged in 7z and executes it. – “下载经过7z压缩的后续恶意软件并执行” (‘Subsequent malware downloaded compressed in 7z and executed’).
- [T1071.001] Web Protocols – Exfiltrates collected data to Glitch C2 via POST; retrieves further payload via GET. – “回传信息…回传的URL格式为hxxps://…glitch.me/…” (‘The information is posted to a Glitch-hosted C2 using POST’).
- [T1053.005] Scheduled Task – Creates a Windows Scheduled Task named “Chrome Update” for persistence. – “计划任务的名称为”Chrome Update”” (‘The scheduled task is named “Chrome Update”‘).
- [T1055] Process Injection – Injects embedded PE into a remote process and executes it; uses remote thread techniques. – “将dll中内嵌的PE注入远程傀儡进程执行” (‘Injects the embedded PE into a remote puppet process for execution’).
- [T1620] Reflective Code Loading – Reflective loading loads PE in memory rather than from disk. – “在内存中反射加载自身” (‘Loaded in memory via reflection’).
- [T1082] System Information Discovery – Collects host information (MAC, username, hostname, processes) for exfiltration. – “收集主机信息,信息包括网卡MAC地址、用户名、主机名、当前所有进程名” (‘Collect host information including MAC, username, hostname, and all running processes’).
Indicators of Compromise
- [MD5] context – 0ee738b3837bebb5ce93be890a196d3e, 11d36c3b57d63ed9e2e91495dcda3655, and 12 more hashes
- [File Name] context – HS.rar, Tai_lieu.rar, and 9 more names
- [URL] context – hxxps://elemental-future-cheetah.glitch.me/afe92a2bd2P, hxxps://elemental-future-cheetah.glitch.me/afe92a2bd2D, and 2 more URLs
- [Domain] context – glitch.me, elemental-future-cheetah.glitch.me, and 2 more domains
- [File Path] context – C:ProgramDataMicrosoft Outlook Sync, C:ProgramDataMicrosoft Edge Downloadproperties.bin
- [File Name] context – Tailieu.doc, Document.rar, and 2 more
Read more: https://mp.weixin.qq.com/s/1L7o1C-aGlMBAXzHqR9udA