A new watering hole campaign by Vietnamese government-linked hackers OceanLotus, touted to be active since September 2018, has been targeting several websites, mostly in Vietnam and Cambodia and expanding into the region.
According Volexity researchers, the hackers first set up fake sites and Facebook pages to target victims with malicious malware. The most popular site was a Facebook page with over 20,000 followers.
The hackers use a dual approach in their attacks: it first gathers information about the visitors from media sites through a web profiling framework; and then targets victims with malware meant to log users’ keystrokes.
“In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus’s neighbours throughout Southeast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX,” Volexity researchers said.
This campaign is believed to be an evolution of what Volexity researchers called OceanLotus Framework B, a watering hole scheme they first documented in 2017.
Since the first incidents, the hackers have evolved to using public key cryptography to exchange an AES session key, used to encrypt further communications, thus preventing security products from intercepting the final payload. They also switched from HTTP to WebSocket to hide their malicious communication.
To date, 21 websites have been impacted, including the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper or blog websites. Visitors to each of these sites are redirected to a separate domain controlled by the hackers.
“This level of effort shows that OceanLotus will go to great lengths to extend its reach and find new ways to compromise individuals and organisations it has set its focus on,” Volexity researchers said.
The advice for users that are at high risk and likely to be targeted is that they be particularly careful with respect to websites they are visiting, especially if the websites are suggested or otherwise linked to via e-mail, chat, messaging services, or even SMS.
“We recommend these individuals use extreme caution if a website presents a file for download or requests that they sign in. OceanLotus has used techniques to fool users into revealing their credentials, authorizing malicious OAuth access, or downloading malware onto their systems for several years,” Volexity said.