Engage Report: APT32 GitHub Poisoning Attack

  1. The attacker, suspected to be the OceanLotus group (APT32), created a GitHub account and disguised it as a security researcher from a leading Chinese FinTech company.
  2. The attacker forked various security tool projects on their homepage to reduce victims’ vigilance.
  3. The attacker published two malicious poisoning projects, containing plugins for the commonly used Chinese red team tool Cobalt Strike, with new exploit functions.
  4. The attacker embedded a malicious .suo file into a Visual Studio project.
  5. When the victim compiles the Visual Studio project, the Trojan will execute automatically.

Subject: Engage Report: APT32 GitHub Poisoning Attack

Tactics: TA0001 Initial Access

Technique: T1195 Supply Chain Compromise

Procedure:

  1. The attacker, suspected to be the OceanLotus group (APT32), created a GitHub account and disguised it as a security researcher from a leading Chinese FinTech company.
  2. The attacker forked various security tool projects on their homepage to reduce victims’ vigilance.
  3. The attacker published two malicious poisoning projects, containing plugins for the commonly used Chinese red team tool Cobalt Strike, with new exploit functions.
  4. The attacker embedded a malicious .suo file into a Visual Studio project.
  5. When the victim compiles the Visual Studio project, the Trojan will execute automatically.

Vulnerability: EAV0011 When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities., EAV0013 When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.

Engagement Opportunity:

  • Educate developers about the risks of using third-party libraries and tools and the importance of verifying the integrity of these resources before incorporating them into their projects.
  • Implement code review processes to detect potentially malicious code or vulnerabilities in software projects.
  • Utilize security tools, such as static and dynamic analysis software, to identify potential threats in software projects.

Threat Actor: OceanLotus (APT32)

Threat Objective:

Gain remote control of victims’ devices and steal sensitive information.

Deception Opportunity:

  • Create honeypot GitHub repositories with enticing security tools or projects to attract attackers and gather intelligence on their TTPs.
  • Seed fake software dependencies or development tools with deceptive functionalities to mislead attackers and disrupt their operations.

Sensor Data Placement: Kernel-Mode

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

Detecting the execution of malicious code through Visual Studio’s automatic loading of the .suo file requires monitoring kernel-level events and identifying specific behaviors that are core to the technique, such as the creation and execution of the malicious .suo file and the subsequent loading of malicious code into the Visual Studio process.

Link to Report:

Link to Report II.:

Additional Comments:

The novel technique of embedding malicious .suo files into Visual Studio projects highlights the evolving threat landscape and the importance of staying vigilant against advanced persistent threats like OceanLotus.

Possible elements:

MSG (Pseudocode):

T1195.001 - Compromise Software Dependencies and Development Tools

Implementations

GitHub Account Disguise

Forking Security Tool Projects

Malicious Poisoning Projects

Embedding Malicious .suo File

Automatic Trojan Execution

Observables

GitHub Account Activity

Level 2: Core to Adversary-Brought Tool or Outside Boundary

Rationale: Creating and maintaining a fake GitHub account is core to the attacker's toolset and operations outside the victim's environment.

Forking Activity

Level 3: Core to Pre-Existing Tool or Inside Boundary

Rationale: Forking security tool projects leverages a pre-existing functionality of GitHub but can be monitored for suspicious patterns.

Malicious Projects

Level 4: Core to Some Implementations of (Sub-)Technique

Rationale: Publishing malicious projects is core to this specific implementation but may not be present in all instances of compromising software dependencies.

.suo File Analysis

Level 5: Core to Sub-Technique or Technique

Rationale: The presence and execution of the malicious .suo file is a key indicator of this specific sub-technique.

Trojan Execution

Level 3: Core to Pre-Existing Tool or Inside Boundary

Rationale: The execution of the Trojan leverages the pre-existing functionality of Visual Studio but can be monitored for suspicious processes.

Notes

* Defenders should focus on monitoring GitHub activity, analyzing forked projects, and implementing security measures within development environments.
* Deception opportunities can be created by setting up honeypot repositories and seeding deceptive dependencies.

Leave a Reply