OceanLotus Group remote access trojans

Cylance Report Reveals Malware and Tactics of OceanLotus Group and Weakness of Traditional AV

Exploits and attackers come in various forms. Just like crime in real life, there are vandals and people just trying to wreak havoc, there are petty thieves and lone wolf criminals, and there is organized crime—crime families that make a career out of cyber attacks. The OceanLotus Group—also referred to as APT32 or Cobalt Kitty—is one such family. Cylance recently released detailed security research to shed light on the tactics and techniques employed by OceanLotus Group to make it easier to identify and defend against attacks from them.

The investigation by Cylance began during incident response and threat research activity at the end of 2017. Cylance researchers discovered several custom backdoors deployed by OceanLotus Group, and evidence that the attackers were obfuscating payloads to perform command and control (C2). In addition, they determined that OceanLotus Group routinely uses PowerShell commands to download and deploy malware—allowing most of the malware to operate in-memory with zero footprint on systems storage.

There are a handful of RATs (remote access trojans) developed by OceanLotus Group. Named after famous rats—Roland, Remy, Splinter—Cylance found that these RATs are carefully crafted to mimic legitimate DLLs of the victim organization. Cylance researchers also discovered that the malware C2 protocols are specifically tailored for each target as well.


I spoke with Tom Bonner, Director of Threat Research for Cylance, about the report. He talked about how OceanLotus Group is able to surreptitiously stream video from compromised systems, and the risk that poses for organizations. He shared that Cylance developed this report to document the findings from Cylance research publicly, and to provide a thorough overview of how they operate, and how the protocols work for command and control so organizations—and other security vendors—can defend against these attacks more effectively.

We also talked about the power of machine learning and the impact of predictive advantage. While many of the household names in antimalware and traditional security tools may struggle to identify and block these threats until or unless vendors capture a sample to reverse engineer and develop the appropriate signatures, Cylance has been able to detect all of the variants for more than two years. For some variants, the predictive advantage for Cylance is as much as three years. In other words, if you installed Cylance two years ago and never updated it again, it would still be able to protect you from these OceanLotus Group attacks.

There are fundamental shifts that occur with technology, and sometimes it takes a while for the ripple effect to expand. But, just as we now say, “Who are the people who are still using 3.5-inch floppy disks?” or “Who are these people who still use fax machines?”, we will eventually—sooner rather than later—be saying, “Who are the people still using reactive antimalware solutions that require signatures?”

Transformation takes time and there is an education process that must happen. Many organizations and individuals continue to buy traditional antimalware because it’s just what they’ve always done and they’re not aware of alternatives. That fundamental shift already happened, though, and the ripple effect of transitioning from legacy antimalware to more effective protection based on machine learning and artificial intelligence is just a matter of time.

For more details on the OceanLotus Group, and the research on the malware tools and techniques they use, check out the complete Analysis of OceanLotus Group’s Latest Attack Tactics report.

Scroll to Top