OceanLotus APT Uses New Ratsnif Trojan for Network Attacks

A fairly undetected remote access trojan called Ratsnif and used in cyber-espionage campaigns from the OceanLotus group has gained new capabilities that allow it to modify web pages and SSL hijacking.

OceanLotus is a threat actor group believed to act in the interest of the Vietnamese state for espionage operations.

Also known as APT32, CobaltKitty, SeaLotus, and APT-C-00 in the infosec community, the hackers typically combine unique malware with commercially-available tools, like Cobalt Strike.

Debug build compiled in 2016

Researchers at Blackberry Cylance analyzed four variants of the Ratsnif RAT family that show it evolve from a debug build to a release version with features like packet sniffing, ARP poisoning, DNS and MAC spoofing, HTTP redirection and injection, SSL hijacking, and setting up remote shell access.

The first three versions Cylance saw had a compilation date from 2016, while the latest one, also reported by Macnica Networks, was from August 2018.

The oldest version of Ratsnif observed by the researchers appears to be a debug build that was compiled on August 5, 2016; the domain for its command and control (C2) server was activated the same day.

Less than a day later, a new version with minor changes was compiled. Both these samples were tested for detection against the antivirus engines present on VirusTotal service at the time.

A third development, with a compilation date September 13, 2016, was very similar in functionality with the previous two and the researchers believe it was "one of the earlier Ratsnifs to be deployed by OceanLotus in-the-wild."

It did not have all the features of the latest strain but it could set up a remote shell and serve for ARP poisoning (to route traffic through the Ratsnif), DNS spoofing, and HTTP redirection.

Its initial steps are to collect system information (username, computer name, workstation configuration, Windows system directory, and network adapter information) and deliver it to the C2.

Cylance analysts saw two hardcoded addresses for the C2, although only one seemed to have been active.

Bug found in newer version

The fourth Ratsnif sample analyzed no longer came with a list of C2 servers and delegated communication to a different piece of malware deployed on the victim host.

It is also the first version to introduce a configuration file and to extend the set of features to make it more efficient: HTTP injection, protocol parsing, and SSL hijacking with separately supplied SSL certificates.

Decrypting the traffic is possible by using version 3.11 of the wolfSSL library, formerly known as CyaSSL.

The configuration file is not protected in any special way; it's just a text file encoded in Base64 with a parameter on its own line.

The researchers also noticed that Ratsnif had a bug that caused a memory read violation when parsing a specific parameter ("dwn_ip'). What happens is that the value is passed as a string and it should be passed as a pointer to a string.

"Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file, the 2018 variant employs multiple sniffer classes for harvesting sensitive information from packets. This will minimize the amount of data the attacker has to collect, exfiltrate and process, and also reveals what information the attacker is interested in," reads the analysis.

Cylance experts conclude that Ratsnif is an intriguing discovery because it managed to stay under the radar for so long; an explanation could be its limited deployment.

However, after two years of apparent development, the effort failed to deliver a good quality product. "Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware," state the researchers.