News

OceanLotus Cybercriminal Group Uses New RAT Ratsnif

Analysts from Blackberry Cylance described APT32 (aka OceanLotus, CobaltKitty, SeaLotus, APT-C-00) group weapons.

It is worth reminding this group attacks mainly foreign companies that invest in the development of production in Vietnam. The main industries are retailing, consulting and hospitality sector According to information security specialists, APT32 acts in the interests of the Vietnamese government, and attacks can be carried out to gather information for law enforcement agencies.

A experts’ report describes in detail a tool that was previously unknown to researchers – RAT Ratsnif (the researchers studied its four versions). The earliest version of the malware dates 2016. Apparently, at that time malware was still at the debugging stage. The newest version was created in August 2018.

“The trojans, under active development since 2016, combine capabilities like packet sniffing, gateway/device ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing”, — say researchers from Blackberry Cylance.

Experts note that, unlike earlier versions, the most recent version of Ratsnif no longer has the hard-coded addresses of the control servers in the code and delegates all the communications to malware, which is also installed in the victim’s system. In addition, this is the first version in which there is a configuration file, as well as a number of new functions that increase the effectiveness of the malware: HTTP injecting, protocol parsing, and interference with SSL.

At the same time, Blackberry Cylance analysts note that Ratsnif can hardly be called a work of cyber-spy art. The fact is that a large part of the malware code was borrowed from open sources, and the overall quality of the development is evaluated by experts as low: during the analysis, a bug was detected in the malware code related to the violation of memory reading.

“Ratsnif is an intriguing discovery, considering the length of time it remained undetected, likely due to limited deployment. It offers a rare glimpse on two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes”, — report specialists from Blackberry Cylance.

At the same time, according to researchers, Ratsnif does not meet rather high standards of usual OceanLotus malware.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-bhexusa.xyz Pop-up Ads

About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…

1 hour ago

Remove News-bhupotu.xyz Pop-up Ads

About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…

2 hours ago

Remove News-bhocime.info Pop-up Ads

About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…

2 hours ago

Remove You-hub.online Pop-up Ads

About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…

2 hours ago

Remove News-bhecudu.live Pop-up Ads

About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…

2 hours ago

Remove News-bhiciwe.today Pop-up Ads

About News-bhiciwe.today News-bhiciwe.today pop-ups can not introduce out of the blue. If you have clicked…

2 hours ago