Threat Research

Emulating the Southeast Asian Adversary OceanLotus – AttackIQ

AttackIQ

AttackIQ released emulation content that reproduces OceanLotus (APT32) post-compromise TTPs from Operation OceanStorm and Operation Typhoon to help validate detection and prevention controls. The emulations cover port scanning and brute-force access, environment discovery, deployment of loaders and Cobalt Strike, credential dumping with Mimikatz, and exfiltration (HTTP POST). #OceanLotus #Caja

Keypoints

  • AttackIQ published attack graphs emulating OceanLotus operations to validate security controls and incident response.
  • Operation OceanStorm emulation begins with LoadLibrary/CreateRemoteThread, network port scans (21,139,389,445,3389) and brute-force attempts against FTP/SMB.
  • Post-compromise discovery uses PowerShell and native utilities (Get-ComputerInfo, Get-NetDomain, netstat, dir, Get-Service, Get-Disk, uname) to collect host and network data.
  • Adversary tooling includes Cobalt Strike for C2, Mimikatz for credential dumping, various loaders (Shhloader, Mortar), webshells, RPIVOT tunneler, and the multi-architecture trojan “Caja.”
  • Persistence and lateral movement are achieved via service creation (sc), scheduled tasks (schtasks), WMI, token impersonation, and loader execution (MSBuild proxy execution).
  • Exfiltration is performed over C2 (HTTP POST) after compressing/gathering data; AttackIQ also recommends PCAP replay to test SMB brute-force detection.

MITRE Techniques

  • [T1055] Process Injection – Injects a DLL into another process and validates canary file creation (‘injects a DLL file into another running process and validates if a canary file can be created.’)
  • [T1046] Network Service Discovery – Scans for hosts on ports 21, 139, 389, 445, and 3389 using nmap (‘scanning hosts that are open on ports 21, 139, 389, 445, and 3389’).
  • [T1110.003] Brute Force: Password Spraying – Brute-forces FTP and SMB protocols to obtain valid credentials (‘brute-forcing FTP (21) and SMB (445) protocols’).
  • [T1082] System Information Discovery – Executes Get-ComputerInfo (PowerShell) and uname to collect host information (‘executes the Get-ComputerInfo cmdlet via PowerShell’ / ‘executes uname -rms’).
  • [T1049] System Network Connections Discovery – Uses Get-NetDomain and netstat to enumerate domain and active network connections (‘executes the Get-NetDomain PowerView cmdlet’ / ‘uses netstat to collect active connections’).
  • [T1083] File and Directory Discovery – Uses dir to find files of interest and outputs to temporary files (‘uses the native dir command to find files of interest and output to a temporary file.’)
  • [T1518] Software Discovery – Lists installed applications and versions using PowerShell (‘will list all the applications installed, as well as their versions using a PowerShell Script.’)
  • [T1518.001] Security Software Discovery – Queries AntiVirusProduct class via PowerShell to detect security software (‘a PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.’)
  • [T1033] System Owner/User Discovery – Calls GetUserNameW API to retrieve the current thread user (‘will call the GetUserNameW Windows API call to retrieve the name of the user associated with the current thread.’)
  • [T1016] System Network Configuration Discovery – Collects network config via ipconfig/arp/route/nltest and Unix equivalents (‘using standard Windows utilities like ipconfig, arp, route, and nltest’ / ‘netstat, route, ifconfig, and arp –a’).
  • [T1120] Peripheral Device Discovery – Executes Get-Disk (PowerShell) to gather disk/partition info (‘executes the PowerShell cmdlet Get-Disk to gather valuable information about the physical drives and partitions’).
  • [T1057] Process Discovery – Uses CreateToolhelp32Snapshot and Process32FirstW/Process32NextW to enumerate running processes (‘Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object’).
  • [T1007] System Service Discovery – Runs Get-Service via PowerShell to enumerate services (‘executes the PowerShell cmdlet Get-Service to gather valuable information about installed services and applications’).
  • [T1041] Exfiltration Over C2 Channel – Sends files to attacker server using HTTP POST requests (‘Files are sent to an AttackIQ controlled server using HTTP POST requests.’)
  • [T1105] Ingress Tool Transfer – Downloads payloads to memory and saves to disk to exercise delivery controls (‘downloads to memory and saves to disk in two separate scenarios’).
  • [T1543.003] Windows Service – Creates a persistent service using sc to run payloads at reboot (‘Use the native sc command line tool to create a new service that will be executed at reboot.’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Creates scheduled tasks with schtasks for persistence (‘creates a new scheduled task using the schtasks utility.’)
  • [T1134.001] Access Token Manipulation: Token Impersonation/Theft – Uses named pipe impersonation leveraged by Cobalt Strike for privilege escalation (‘uses the named pipe impersonation method leveraged by Cobalt Strike to escalate privileges.’)
  • [T1003] OS Credential Dumping – Uses obfuscated Mimikatz to dump password hashes (‘uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.’)
  • [T1047] Windows Management Instrumentation – Moves laterally using WMI calls (‘attempt to move laterally to any available asset inside the network through the use of Windows Management Instrumentation (WMI).’)
  • [T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild – Executes Cobalt Strike via MSBuild to run arbitrary code (‘Cobalt Strike will be deployed and executed via MSBuild on the compromised system.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP for C2 and exfiltration (’emulates the HTTP requests made by OceanLotus by making an HTTP request to an AttackIQ server.’)
  • [T1217] Browser Information Discovery – Enumerates browser bookmarks via PowerShell to gather user/host info (‘uses a PowerShell script to enumerate browser bookmarks’).
  • [T1136.001] Create Account: Local Account – Creates local accounts using net user for persistence (’emulates the creation of a new account using net user.’)
  • [T1548.002] Bypass User Account Control – Disables UAC by setting registry keys (‘attempts to disable UAC by setting a registry key.’)

Indicators of Compromise

  • [Malware/Tools] observed in emulations – Caja (multi-arch trojan), Cobalt Strike, Mimikatz, Shhloader, Mortar Loader, RPIVOT and 1 more item
  • [Ports] targeted/scanned during initial access/recon – 21 (FTP), 139 (NetBIOS), 389 (LDAP), 445 (SMB), 3389 (RDP)
  • [Protocols] used for brute force/exfiltration – FTP, SMB (brute force), HTTP POST (exfiltration)
  • [URLs/Reports] source references used for emulation data – https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==… (QiAnXin report), https://www.attackiq.com/2024/04/16/emulating-oceanlotus/ (AttackIQ original post)

AttackIQ’s emulations reproduce OceanLotus operational steps: initial code execution via LoadLibrary/CreateRemoteThread followed by local network port scanning (nmap over ports 21, 139, 389, 445, 3389) and targeted brute-force attempts against FTP and SMB to obtain credentials. Successful access leads to downloading loaders (memory and disk delivery), deploying Cobalt Strike (via injected shellcode or service creation) and establishing persistent execution through services (sc) or scheduled tasks (schtasks), plus account creation and UAC disabling via Registry for persistence.

After foothold establishment, the emulations run comprehensive environment and network discovery using PowerShell and native utilities: Get-ComputerInfo, Get-NetDomain, dir, Get-Service, Get-Disk, netstat, ipconfig/arp/route/nltest (Windows) and uname/netstat/ifconfig/arp (Linux). Collected artifacts—browser bookmarks, file and directory listings, system/network configs, and credentials (via obfuscated Mimikatz)—are compressed and exfiltrated over HTTP POST to C2 servers. Lateral movement is demonstrated via WMI and token impersonation techniques (named pipe methods used by Cobalt Strike).

Operation Typhoon emulations include multi-architecture loader/trojan deployment (Caja for ARM/MIPS/x86), use of webshells, tunneling tools like RPIVOT, and execution via trusted utilities (MSBuild) to bypass defenses. AttackIQ also recommends extension scenarios such as PCAP replay of SMB brute-force (222 login attempts) to validate detection/prevention of brute-force activity; priority detections to test first include process injection, creation/modification of Windows services, and exfiltration over C2 (HTTP POST) with DLP/IDS/IPS monitoring.

Read more: https://www.attackiq.com/2024/04/16/emulating-oceanlotus/