This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Lotus Blossom Continues ASEAN Targeting

Lotus Blossom Continues ASEAN Targeting

KevinStear1
Employee KevinStear1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-02-13 10:54 AM

During the last weeks of January (2018), nation state actors from Lotus Blossom conducted a targeted malspam campaign against the Association of Southeast Asian Nations (ASEAN) countries.  Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017, this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region.  This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object, the Elise backdoor.  

   

post-detonate-decoy.png

  

The Elise backdoor is not new malware and has been successfully diagnosed in the past by Industry researchers (e.g. Palo Alto Unit 42's 2015 report) and more recently by Volexity and Accenture.  Each of these are valuable resources to understanding the Elise malcode, infection process, and known capabilities of the backdoor.  In addition, a current ANY.RUN playback of our observed Elise infection is also available.

  

Upon opening of the MS Word document, our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module, 'NavShExt.dll', which is then injected into iexplore.exe to install the backdoor, begin collection, and activate command and control.  

   

image (6).png

  

Moving through the infection process, NetWitness Endpoint detects the initial exploit (CVE-2017-1182) in action as the Microsoft Equation Editor, 'EQNEDT32.exe', scores high for potentially malicious activity.  This same process was also flagged in our any.run playback.

 

elise_post-detonate-NWE-scan.png

elise_cve-2017-11882.png

   

Our malware then spins up an instance of 'iexplore.exe' and injects 'NavShExt.dll' into that process.

   

elise_NavShExt.dll.pngelise_files-tab.png

     

While this is happening, the malware establishes persistence by creating an autorun in the registry and then also creates 'thumbcache_1CD60.db' at 'Users\admin\AppData\Local\Microsoft\Windows\Explorer\' to store harvested data.

  

elise_autorun.png

elise_thumbcache.png

  

As the infection process completes, we now observe Elise network activity (e.g., exfil of victim data and C2) through a conveniently hidden instance of Internet Explorer. 

  

elise_processhacker.png

  

This traffic was also observed in NetWitness Packets, as the malware verifies the host IP address prior to kicking off C2 out to 103.236.150[.]14, which is likely compromised infrastructure.

  

elise-firstrun-network.png

elise-firstrun-session.png

elise-firstrun-meta.png

  

Take note of the cookie set in this HTTP POST, because Lotus Blossom actors go to significant lengths to protect this data via both B64 encoding and AES encryption.  The actual C2 for Elise takes place over "cookie" code and (rarely) body content.

  

elise_cookie_encryption.png

elise_cookie_encoding.png

  

Other infections (from the identical payload) each generated their own decoy domains to populate the host header, but in every case actually used the same hard-coded IP address, 103.236.150[.]14.

  

elise_spoof_domains1.png

elise_spoof_domains2.png

  

After our Elise infection had run for about a day, we were visited by the threat actor.  While it's unclear exactly what the actor may have been looking for, our infected (sandboxed) machine was not it and the backdoor was deleted.

  

actor-deleting-Elise-Trojan.png

  

Based on both previous activity and this current Lotus Blossom campaign, it is clear that we are witnessing the continued rise of cyber tradecraft and activity from nation-states in the Southeast Asian theater.

   

Thanks to Kent Backman‌, Justin Lamarre‌, and Ahmed Sonbol‌ for their assistance with this research.

  

The following samples were used for this analysis:

  • Malicious RTF Dropper (SHA256):  d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411
  • NavShExt.dll (SHA256):  6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79

 

FirstWatch_banner.png

  • backdoor
  • ECAT
  • elise
  • firstwatch
  • lotus blossom
  • NetWitness
  • NetWitness Endpoint
  • netwitness packet
  • netwitness*
  • NW
  • NWP
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
  • trojan
  • vietnam
0 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
  • The History of APT10
  • Integration of Symantec Endpoint Security with Netwitness Platform
  • JAMF Protect Integration with Netwitness
  • Zscaler Integrations with Netwitness
  • FirstWatch Threat Spotlight: Truly Asynchronous AsyncRAT
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
Labels
  • Announcements 60
  • Events 7
  • Features 10
  • Integrations 11
  • Resources 63
  • Tutorials 27
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.