Switch branches/tags
Nothing to show
Find file History

README.adoc

OceanLotus — Indicators of Compromise

OceanLotus New Backdoor Indicators of Compromise

For a description of OceanLotus' latest campaign (using side-loaded binaries such as rastls.exe) please see the article OceanLotus article and for a detailed explanation the paper OceanLotus whitepaper.

Registry

  • HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\

  • HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\

  • HKCU\SOFTWARE\Classes\CLSID{E3517E26-8E93-458D-A6DF-8030BC80528B}\

  • HKCU\SOFTWARE\Intel\Display\igfxcui\igfxtray\;[NUMBER];[DWORD]

Hashes

Initial Dropper

SHA1 Filename ESET Detection name

fdcb35cd9cb8dc1474cbcdf1c9bb03200dcf3f18

RobototFontUpdate.exe

Win32/TrojanDropper.Agent.RUI

a40ee8ff313e59aa92d48592c494a4c3d81449af

Firefox Installer.exe

Win32/TrojanDropper.Agent.RUI

c2eb1033bc01ab0fd732a7ba4967be02c0690bf0

20170905-Evaluation Table.xls.exe

Win32/TrojanDropper.Agent.RUI

d35695f2366a43628231e73ffa83ca106306a8fa

CV_LeHoangThing.doc.exe

Win32/TrojanDropper.Agent.RUI

fe0161fb8a26a0bf4afad746c7ebf89499dcd3a7

Chi tiet don khieu nai gui saigontel.exe

Win32/TrojanDropper.Agent.RUI

032ef58b7978d079287874044dc516af624ae5f5

Mi17 Technical issues - Phonesack Grp.exe

Win32/TrojanDropper.Agent.RUI

2a387d7d47a63d6e47d9cc92d3dc69a53816c2c0

Sorchornor_with_PM_-_Sep_2017.exe

Win32/TrojanDropper.Agent.RUI

7105caa6d4fd8a2c67523d385277528e556ae4f6

Updated AF MOD contract - Jan 2018.exe

Win32/TrojanDropper.Agent.RUI

f96bcd875836da89800912de1e557891697c7cf4

remove_pw_Reschedule of CISD Regular Meeting.exe

Win32/TrojanDropper.Agent.RUI

Sideloaded libraries

SHA1 Filename ESET Detection name

82e579bd49d69845133c9aa8585f8bd26736437b

rastls.dll

Win32/Salgorea.BD

202fb56edb2fb542e05c845d62ffbdcfbebed9ec

McUtil.dll

Win32/Korplug.MK

Network

IP addresses

  • 46.183.220.81

  • 46.183.220.82

  • 46.183.222.82

  • 46.183.222.83

  • 46.183.222.84

  • 46.183.223.106

  • 46.183.223.107

  • 74.121.190.130

  • 74.121.190.150

  • 79.143.87.230

  • 79.143.87.233

  • 84.38.132.226

  • 84.38.132.227

  • 149.56.180.243

  • 158.69.100.199

  • 164.132.45.67

  • 192.34.109.163

  • 192.34.109.173

  • 198.50.191.194

  • 198.50.191.195

  • 198.50.234.96

  • 198.50.234.111

Domains

  • adineohler.com

  • aisicoin.com

  • alicervois.com

  • anessallie.com

  • antenham.com

  • arinaurna.com

  • arkoimmerma.com

  • aulolloy.com

  • avidilleneu.com

  • avidsontre.com

  • aximilian.com

  • biasatts.com

  • braydenhateaub.com

  • carosseda.com

  • chascloud.com

  • dreyoddu.com

  • dwarduong.com

  • eckenbaue.com

  • eighrimeau.com

  • errellawle.com

  • erstin.com

  • frahreiner.com

  • hieryells.com

  • hristophe.com

  • ichardt.com

  • icmannaws.com

  • iecopeland.com

  • irkaimboeuf.com

  • jamedalue.com

  • jamyer.com

  • jeanessbinder.com

  • jeffreyue.com

  • keoucha.com

  • laudiaouc.com

  • lbertussbau.com

  • loridanase.com

  • marrmann.com

  • meroque.com

  • moureuxacv.com

  • myolton.com

  • nasahlaes.com

  • ntjeilliams.com

  • omasicase.com

  • onnaha.com

  • onteagle.com

  • orinneamoure.com

  • orresto.com

  • orrislark.com

  • rackerasr.com

  • rcuselynac.com

  • sanauer.com

  • stopherau.com

  • tefanie.com

  • tefanortin.com

  • tephens.com

  • traveroyce.com

  • tsworthoa.com

  • ucaargo.com

  • ucairtz.com

  • urnage.com

  • venionne.com

  • virginiaar.com

OceanLotus WateringHole 2018 Indicators of Compromise

The blog post about this watering hole campaign is available on WeLiveSecurity at https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/.

Network

Compromised website 1st stage IP 2nd stage IP

baotgm[.]net

arabica.podzone[.]net

178.128.103.24

10cm.mypets[.]ws

178.128.100.189

cnrp7[.]org

utagscript[.]com

206.189.88.50

optnmstri[.]com

159.65.134.146

conggiaovietnam[.]net

lcontacts.servebbs[.]net

178.128.219.207

imgincapsula[.]com

209.97.164.158

daichungvienvinhthanh[.]com

sskimresources[.]com

178.128.90.102

secure-imrworldwide[.]com

178.128.90.109

danchimviet[.]info

wfpscripts.homeunix[.]com

178.128.223.102

cdn-ampproject[.]com

178.128.24.201

danviet[.]vn

cdnscr.thruhere[.]net

178.128.98.139

io.blogsite[.]org

178.128.98.89

danviethouston[.]com

your-ip.getmyip[.]com

178.128.103.74

Unknown

Unknown

fvpoc[.]org

gui.dnsdojo[.]net

178.128.28.93

cdnazure[.]com

209.97.164.96

gardencityclub[.]com

figbc.knowsitall[.]info

178.128.103.207

ichefbcci.is-a-chef[.]com

206.189.85.162

lienketqnhn[.]org

tips-renew.webhop[.]info

159.65.7.45

cyhire.cechire[.]com

178.128.103.79

mfaic.gov[.]kh

tcog.thruhere[.]net

178.128.107.83

weblink.selfip[.]info

178.128.103.202

mfaic.gov[.]kh

s0-2mdn[.]net

104.248.144.178

p-typekit[.]com

104.248.144.136

mod.gov[.]kh

static.tagscdn[.]com

206.189.95.214

pagefairjs[.]com

159.65.137.109

mtgvinh[.]net

metacachecdn[.]com

178.128.209.153

bootstraplink[.]com

159.65.129.241

nguoitieudung.com[.]vn

s-adroll[.]com

128.199.159.127

player-cnevids[.]com

128.199.159.60

phnompenhpost[.]com

tiwimg[.]com

206.189.89.121

tiqqcdn[.]com

206.189.47.116

raovatcalitoday[.]com

widgets-wp[.]com

178.128.90.107

cdn-tynt[.]com

142.93.75.192

thongtinchongphandong[.]com

lb-web-stat[.]com

159.65.128.57

benchtag2[.]com

178.128.90.108

tinkhongle[.]com

cdn1.shacknet[.]us

142.93.127.120

scdn-cxense[.]com

142.93.75.161

toithichdoc.blogspot[.]com

assets-cdn.blogdns[.]net

178.128.28.89

cart.gotdns[.]com

206.189.145.242

trieudaiviet[.]com

html5.endofinternet[.]net

178.128.90.182

effecto-azureedge[.]net

142.93.71.92

triviet[.]news

ds-aksb-a.likescandy[.]com

159.65.137.144

labs-apnic[.]net

178.128.90.138

Unknown

nav.neat-url[.]com

142.93.116.157

straits-times.is-an-actor[.]com

178.128.90.66

Unknown

pixel1.dnsalias[.]net

142.93.116.157

ad-appier[.]com

178.128.90.66

Unknown

trc.webhop[.]net

178.128.90.223

static-addtoany[.]com

142.93.75.172

File

Description SHA-1 SHA-256 Detection name

First stage script

2194271C7991D60AE82436129D7F25C0A689050A

1EDA0DE280713470878C399D3FB6C331BA0FADD0BD9802ED98AE06218A17F3F7

JS/Agent.NYQ

Second stage script

996D0AC930D2CDB16EF96EDC27D9D1AFC2D89CA8

8B824BE52DE7A8723124BAD5A45664C574D6E905F300C35719F1E6988887BD62

JS/Agent.NYR