For the last few months, the threat group OceanLotus, also known as APT32 and APT-C-00, has been carrying out a watering hole campaign targeting several websites in Southeast Asia.
The campaign has been active since September 2018 and has compromised the sites of the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper and blog websites, according to a Nov. 20 blog post.
The most recent campaign appears to be an evolution of a watering hole scheme Volexity researchers dubbed OceanLotus Framework B in 2017, with new updates including the use of public key cryptography to exchange an AES session key to further communication and prevent security products from intercepting the final payload.
To evade detection the threat actors obfuscate the scripts to prevent static extraction of the final URL, use a URL that looks like a real JavaScript library used by the target website, use a different domain, use URI per compromised site, and use different script per compromised site.
“In order to be as stealthy as possible, the OceanLotus operators registered one first stage and one second stage domain per compromised website. Each domain is hosted on a separate server with a distinct IP address,” researchers said. “They registered at least 50 domains and 50 servers for this campaign.”
The threat actors also switched from HTTP to WebSocket to hide their malicious communications. Researchers notified the compromised sites in October however, most of them were still serving malicious script injections at the time the blog was written so researchers advice users to avoid the infected sites.
Threat actors are still busy attacking their targets and are regularly updating their toolsets so researchers recommend users exercise caution and ensure their systems are always up to date, especially when visiting domains based in the region.