Die Analysten von Blackberry Cylance beschrieben APT32 (aka OceanLotus, CobaltKitty, SeaLotus, APT-C-00) Gruppe Waffen.
icht is worth reminding this group attacks mainly foreign companies that invest in the development of production in Vietnam. Die wichtigsten Industriezweige sind Handel, Beratung und Gastgewerbe Nach Angaben Sicherheitsspezialisten, APT32 handelt im Interesse der vietnamesischen Regierung, and attacks can be carried out to gather information for law enforcement agencies.A experts’ report describes in detail a tool that was previously unknown to researchers – RAT Ratsnif (the researchers studied its four versions). The earliest version of the malware dates 2016. Offenbar, at that time malware was still at the debugging stage. The newest version was created in August 2018.
“The trojans, under active development since 2016, combine capabilities like packet sniffing, gateway/device ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing”, — say researchers from Blackberry Cylance.
Experten beachten Sie, dass, unlike earlier versions, the most recent version of Ratsnif no longer has the hard-coded addresses of the control servers in the code and delegates all the communications to malware, which is also installed in the victim’s system. In Ergänzung, this is the first version in which there is a configuration file, as well as a number of new functions that increase the effectiveness of the malware: HTTP injecting, protocol parsing, and interference with SSL.
Zur selben Zeit, Blackberry Cylance analysts note that Ratsnif can hardly be called a work of cyber-spy art. The fact is that a large part of the malware code was borrowed from open sources, and the overall quality of the development is evaluated by experts as low: during the analysis, a bug was detected in the malware code related to the violation of memory reading.
“Ratsnif is an intriguing discovery, considering the length of time it remained undetected, likely due to limited deployment. It offers a rare glimpse on two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes”, — report specialists from Blackberry Cylance.
Zur selben Zeit, nach Ansicht der Forscher, Ratsnif does not meet rather high standards of usual OceanLotus malware.
