According to researchers, the fileless attack is being carried out by OceanLotus, a Vietnamese APT32 group.
Malwarebytes security researchers Jérôme Segura and Hossein Jazi have identified a new fileless attack method that exploits the Microsoft Windows Error Reporting (WER) service for injecting its payload. The attack was discovered on Sep 17th, 2020 but the details of it have been only made public recently.
The duo claims that this new technique, which they dubbed the Kraken attack, could be the work of the Vietnamese APT32 group, namely OceanLotus also known as SeaLotus, Cobalt Kitty, and APT-C-00.
This group is highly sophisticated and previously made headlines for several notorious campaigns including:
PhantomLance – A malware that targeted Android users worldwide through Play Store apps.OSX_OCEANLOTUS.D – A macOS malware that aims at infecting devices with malicious macros.Toyota Motors breach – In April 2020, the group stole personal data of 3.1 million Toyota customers.
OceanLotus also used a phishing attack to lure victims through a similar worker compensation claim scam. In that incident, the attackers used the CactusTorch framework to carry out a fileless attack after compromising a website to host its payload.
Another reason to believe OceanLotus is involved is that the domains used to host malicious archives and documents were registered in a Vietnamese city, Ho Chi Minh.
Segura and Jazi wrote in their
Support the originator by clicking the read the rest link below.
