#APT 32 #OceanLotus #Torii #APT #IoT
C&C:
top.haletteompson[.]com threatbook.io/domain/top.hal…
eu-draytek[.]com threatbook.io/domain/eu-dray…
#CyberAttack #Trojans #malware #threatintelligence #threatintelligence
APT Operation/Group Mid-2022 Summary Report
#Oceanlotus use tinyPortMapper forward traffic to Cobaltstrike sever , and New mips-architecture malware named 'Caja' discovered on controlled devices(IOT/Linux).
github.com/blackorbird/AP…
#OceanLotus botnet : Torii/Caja
eu-draytek[.]com
top[.]haletteompson[.]com
mp.weixin.qq.com/s/v2wiJe-YPG0n…
mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0n…
If you are so unlucky to missed our talk at #SASatHome on #PhantomLance relations with #OceanLotus , check out our public report:
securelist.com/apt-phantomlan…
#APT #cybercrime #ThreatIntelligence #ThreatHunting #APT 32
I share some #Oceanlotus IOC.
DeliveryInformation.doc, which has some zero detection tag.
Please enjoy it.
docs.google.com/spreadsheets/d…
New IOC of #OceanLotus #APT discovered by our analyst. Keep tracking^
198[.]244[.]207[.]133
Check it out: threatbook.io/ip/198.244.207…
#ThreatHunting #ThreatIntelligence #threats #infosec #cybersecurity #cybercrime #SOC #CTI
Extracting the #OceanLotus #APT32 VBA project from the Web Archive File using #CyberChef
Sample used: 3510590280406fa30eda94b3ae39058d
First we need to extract the ActiveMime (.mso) from the document. I've used Cerbero from Cerbero Labs and paste the Base64 string into CyberChef.