OceanLotus adopts public exploit code to abuse Microsoft Office software

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
The OceanLotus hacking group is back with a new campaign in 2019 complete with new exploits, decoys, and self-extracting malicious archives.

Also known as APT32, SeaLotus, APT-C-00, and Cobalt Kitty, OceanLotus is a hacking group which operates across Asia and focuses on gathering valuable intel on corporate, government, and political entities across Vietnam, the Philippines, Laos, and Cambodia.

Human rights outfits, the media, research institutes, and maritime construction firms are the hackers' preferred targets and past attacks against these types of organizations have been linked to their campaigns.

The threat actors have been leveraging new tactics this year. ESET researchers said in a blog post on Wednesday that of particular interest is the use of publicly-available exploits for a memory corruption vulnerability present in Microsoft Office, CVE-2017-11882, which has been tailored for use in OceanLotus phishing attempts.

OceanLotus begins its infection journey through the use of fraudulent documents and phishing messages that victims find "appealing," according to the team. During phishing, the threat group may also make use of "decoy" documents and images, sent alongside malicious files, to further disguise their true intentions.

These include messages and documents relating to media contact information, rallies, and political events. If a victim is duped and both open up a malicious file and enables macros, this installs a backdoor capable of surveillance and data exfiltration.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
the use of publicly-available exploits for a memory corruption vulnerability present in Microsoft Office, CVE-2017-11882,
So this is an unpatched vulnerability in most versions of MS Office?

So this is an unpatched vulnerability in most versions of MS Office?
To answer my own question, no. It was patched over a year ago.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Hard to understand why high-value targets would be using unpatched, vulnerable software. I guess security awareness is pretty low in Southeast Asia.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top