OceanLotus Cybercriminal Group Uses New RAT Ratsnif

Analysts from Blackberry Cylance described APT32 (aka OceanLotus, CobaltKitty, SeaLotus, APT-C-00) group weapons.

It is worth reminding this group attacks mainly foreign companies that invest in the development of production in Vietnam. The main industries are retailing, consulting and hospitality sector According to information security specialists, APT32 acts in the interests of the Vietnamese government, and attacks can be carried out to gather information for law enforcement agencies.

A experts’ report describes in detail a tool that was previously unknown to researchers – RAT Ratsnif (the researchers studied its four versions). The earliest version of the malware dates 2016. Apparently, at that time malware was still at the debugging stage. The newest version was created in August 2018.

“The trojans, under active development since 2016, combine capabilities like packet sniffing, gateway/device ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing”, — say researchers from Blackberry Cylance.

Experts note that, unlike earlier versions, the most recent version of Ratsnif no longer has the hard-coded addresses of the control servers in the code and delegates all the communications to malware, which is also installed in the victim’s system. In addition, this is the first version in which there is a configuration file, as well as a number of new functions that increase the effectiveness of the malware: HTTP injecting, protocol parsing, and interference with SSL.

At the same time, Blackberry Cylance analysts note that Ratsnif can hardly be called a work of cyber-spy art. The fact is that a large part of the malware code was borrowed from open sources, and the overall quality of the development is evaluated by experts as low: during the analysis, a bug was detected in the malware code related to the violation of memory reading.

“Ratsnif is an intriguing discovery, considering the length of time it remained undetected, likely due to limited deployment. It offers a rare glimpse on two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes”, — report specialists from Blackberry Cylance.

At the same time, according to researchers, Ratsnif does not meet rather high standards of usual OceanLotus malware.