Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader

NetmanageIT OpenCTI - opencti.netmanageit.com

Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader



SUMMARY :

The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution.

OPENCTI LABELS :

cobaltstrike


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader