Kevin Stear

Lotus Blossom Continues ASEAN Targeting

Blog Post created by Kevin Stear Employee on Feb 13, 2018

During the last weeks of January (2018), nation state actors from Lotus Blossom conducted a targeted malspam campaign against the Association of Southeast Asian Nations (ASEAN) countries.  Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017, this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region.  This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object, the Elise backdoor.  



The Elise backdoor is not new malware and has been successfully diagnosed in the past by Industry researchers (e.g. Palo Alto Unit 42's 2015 report) and more recently by Volexity and Accenture.  Each of these are valuable resources to understanding the Elise malcode, infection process, and known capabilities of the backdoor.  In addition, a current ANY.RUN playback of our observed Elise infection is also available.


Upon opening of the MS Word document, our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module, 'NavShExt.dll', which is then injected into iexplore.exe to install the backdoor, begin collection, and activate command and control.  



Moving through the infection process, NetWitness Endpoint detects the initial exploit (CVE-2017-1182) in action as the Microsoft Equation Editor, 'EQNEDT32.exe', scores high for potentially malicious activity.  This same process was also flagged in our playback.



Our malware then spins up an instance of 'iexplore.exe' and injects 'NavShExt.dll' into that process.



While this is happening, the malware establishes persistence by creating an autorun in the registry and then also creates 'thumbcache_1CD60.db' at 'Users\admin\AppData\Local\Microsoft\Windows\Explorer\' to store harvested data.



As the infection process completes, we now observe Elise network activity (e.g., exfil of victim data and C2) through a conveniently hidden instance of Internet Explorer. 



This traffic was also observed in NetWitness Packets, as the malware verifies the host IP address prior to kicking off C2 out to 103.236.150[.]14, which is likely compromised infrastructure.



Take note of the cookie set in this HTTP POST, because Lotus Blossom actors go to significant lengths to protect this data via both B64 encoding and AES encryption.  The actual C2 for Elise takes place over "cookie" code and (rarely) body content.



Other infections (from the identical payload) each generated their own decoy domains to populate the host header, but in every case actually used the same hard-coded IP address, 103.236.150[.]14.



After our Elise infection had run for about a day, we were visited by the threat actor.  While it's unclear exactly what the actor may have been looking for, our infected (sandboxed) machine was not it and the backdoor was deleted.



Based on both previous activity and this current Lotus Blossom campaign, it is clear that we are witnessing the continued rise of cyber tradecraft and activity from nation-states in the Southeast Asian theater.


Thanks to Kent Backman, Justin Lamarre, and Ahmed Sonbol for their assistance with this research.


The following samples were used for this analysis:

  • Malicious RTF Dropper (SHA256):  d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411
  • NavShExt.dll (SHA256):  6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79