Contact Contact Us

OceanLotus Targets APAC Countries with New Downloader

OceanLotus (APT 32) has been targeting private sectors across multiple industries and foreign governments to install a custom downloader known as KerrDown. The initial infection vector is unknown, but the group is prolific in launching spear phishing and watering hole attacks to trick users into downloading macro-embedded Microsoft Office Document and RAR archive files. In this campaign, the attached malicious file, drops the KerrDown downloader that retrieves a payload from a remote site. The downloader executes the payload in memory to reveal a variant of the commercial penetration testing tools, Cobalt Strike. Cobalt Strike can be used for downloading and executing additional malware to collect credentials, spy on the user and move laterally across the targeted network.

[1] Tracking OceanLotus’ New Downloader, KerrDown

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883