The Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been revealed to have utilized GitHub as part of a sophisticated poison attack targeting Chinese cybersecurity professionals. The ThreatBook Research and Response Team meticulously analyzed the incident, which commenced its malicious spread in mid-September 2024, resulting in a targeted assault on various sectors within the Chinese industries.
In a clever and novel approach, the attackers embedded a malicious .suo file within a Visual Studio project, which would execute upon compilation. This tactic showcased OceanLotus’s innovative use of development tools against cybersecurity experts. The .suo file would typically be loaded by Visual Studio when opening project files, allowing for the automatic execution of embedded malicious code, which would then be removed to evade detection.
Operating under the guise of a security researcher from a reputed Chinese FinTech company, the attacker created a GitHub account named 0xjiefeng in October 2024. This account forked several security tool projects and released tools with backdoored Cobalt Strike plugins, enticing targets from the Chinese cybersecurity community with the false promise of enhancing security tools.
ThreatBook identified key Indicators of Compromise (IOCs) for detection, including the GitHub account 0xjiefeng, malicious files such as TraceIndexer.exe and TTDReplay.dll in C:\Users\Public\TTDIndexerX64\, autostart registry entries, C2 communication leveraging the Notion API, and multiple C2 servers’ IP addresses and ports. This incident led to significant propagation of the malicious code within China’s cybersecurity community, as various blogs and platforms inadvertently shared the backdoored projects, amplifying the attack’s reach.
The attacker capitalized on machine translations to compose Chinese descriptions and instructions, making the bait more appealing to the intended audience. The attack not only exploited GitHub’s credibility as a repository for open-source code but also manipulated trust in prevalent development environments like Visual Studio. By inserting malicious code within project settings, the attackers leveraged automatic loading mechanisms to enable remote control capabilities and intelligence theft, primarily targeting large technology enterprises and cybersecurity research groups in China.
This incident serves as a poignant reminder of the evolving cyber threat landscape, where even tools intended for enhancement and protection can be weaponized by state-sponsored actors. Cybersecurity professionals and organizations are cautioned to remain vigilant, update their systems and tools, and incorporate robust threat detection mechanisms like those offered by ThreatBook to thwart similar sophisticated attacks.
It is crucial for the cybersecurity community to adapt and strengthen defenses against such advanced threats continually. By staying informed and proactive, organizations and professionals can better protect themselves against malicious actors aiming to exploit vulnerabilities for their gain.