APT32 / OceanLotus campaigns 2019

EV-0054, also known as APT32 or OceanLotus, has been running stealthy operations characterized by novel delivery mechanisms, unique first-level installation, persistence, backdoor implants, and command-and-control infrastructure. 

They are known to target government, military, energy, news, media, civil society, religion, and human rights sectors, and institutions for cyberespionage. The group is also known to deploy attacks via spear-phishing and watering-hole tactics. They compromise legitimate websites usually visited by the ASEAN demographic or countries such as Vietnam, Cambodia, Laos, Thailand, China, and Philippines. For example, some recent lure documents used an upcoming ASEAN event happening from June 20-23, 2019. In general, however, their target reach is global in scope.

DEV-0054 still deploys cross-platform implants for the Windows (now both 32- and 64-bit) and macOS platforms. This report focuses on tactics, techniques, and procedures (TTPs) on the Windows environment and only covers recent industry reports on campaigns, including the use of relatively old but still effective exploits, steganography, and two new malware tools dubbed KerrDown and JEShell. DEV-0054 developed and deployed the said tools in recent attacks to download and run the Cobalt Strike Beacon implant on target systems. We enriched these reports with our own intelligence curated from telemetry and hunting to ensure maximum protection coverage for Microsoft Defender ATP customers. 

DEV-0054’s activities remain highly targeted; however, their behaviors and techniques overlap with many other campaigns. IT organizations can take lessons in defense in depth from DEV-0054’s attacks. Patching, managing Microsoft Office macros, and monitoring behavioral alerts in Microsoft Defender ATP are effective mitigations against many of the DEV-0054 techniques, as well as numerous other groups. 


Delivery and exploitation

DEV-0054 is known to utilize spear-phishing and watering-hole tactics using political and socially relevant themes. Recently, they have also been seen to actively use off-the-shelf exploits targeting two old Microsoft Office vulnerabilities, namely the Equation Editor vulnerabilities CVE-2017-11882 and CVE-2017-0199. While these vulnerabilities are old and have been fixed for years, they can still be exploited in parts of the Southeast Asian region where the use of unpatched applications and/or systems may still be common due to software dependencies in the region and IT budget priorities. A relatively new vulnerability in WinRAR, detailed in CVE-2018-20250, has also been used in some campaigns. 

While DEV-0054 has been increasingly using these exploit-ridden documents and archive files in recent months, the group has still been leveraging the usual documents with malicious macro code or self-extracting archives (without exploits), counting on using social engineering ploys for users to be compromised.

In some campaigns, DEV-0054 inserted encrypted data to the end of delivered HTA scripts to avoid the existence of multiple files.

Evasion and installation

DEV-0054 has also been increasingly using steganography as a means to hide first-level and final code of payload implants in seemingly harmless image files (e.g., PNG format). Typically, an initial component that is already planted on the computer is tasked to download or drop these image files, decode the embedded malicious codes, and install them. Another usual tactic employed by DEV-0054 is DLL side-loading, where copies of legitimate files are used to load malicious DLLs found in the same folder. One recent campaign used Microsoft Word to load the DEV-0054 initial implants with the file name wwlib.dll.

Very recently, in a campaign on June 20, 2019, DEV-0054 actors used DLL side-loading to deliver a payload generated by Cobalt Strike. The shell code loaded by Cobalt Strike directly in memory holds the command-and-control (C&C) information that the payload uses to communicate back to remote attackers.

Other evasion mechanisms used by DEV-0054 include:

  • Dropping of files with file names and file descriptions randomly selected from the compromised system so as to avoid being easily acquired during incident response investigations and forensics;
  • Increasing the file size of dropped and generated implants by adding junk code, to avoid being scanned and/or uploaded automatically to a cloud-based security solution

In many of these recent campaigns, two first-level payloads developed by the DEV-0054 group emerged. One is a DLL, either for 32-bit or 64-bit platforms, called KerrDown; the other one is the Java-based JEShell implant. Both have been used as a means to download and execute further payloads like Cobalt Strike.

Persistence and final payload

Once the first-level payload is successfully installed and run, persistence is achieved either by creating a hidden scheduled task to run the payload or by registering itself as a service in (HKLM|HKCU)\SOFTWARE\Microsoft \Windows\Current Version\Run. The creation of a shortcut file (.lnk) in the Startup folder in %ALLUSERSPROFILE%, %APPDATA%, or %USERPROFILE% is also employed.

An implant in some of DEV-0054’s recent campaigns installs Cobalt Strike’s Beacon, which DEV-0054 ultimately utilizes for system compromise, espionage, and data exfiltraton

The diagrams below show attack chains attributed to DEV-0054: 

  1. Using the DEV-0054 downloader KerrDown
    Using the DEV-0054 downloader KerrDown
  2. WinRAR file delivery
    WinRAR file delivery
  3. CVE-2017-11882 exploit
    CVE-2017-11882 exploit
  4.  Self-extracting archive
     Self-extracting archive
  5. HTML application (HTA) file delivery
    HTML application (HTA) file delivery


  • Prioritize patching vulnerabilities, specifically for the ones being exploited by DEV-0054 (APT32/OceanLotus) such as CVE-2017-11882 and CVE-2017-0199 affecting MS Office as well as the WinRAR vulnerability CVE-2018-20250.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help prevent execution of native binaries with elevated privileges.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Use Office 365 mail flow rules or Group Policy for Outlook to strip unnecessary or unexpected file attachments such or other file types that are not required for business.
  • Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
  • Educate end users about preventing malware infections by ignoring or deleting unsolicited and unexpected emails.

Detection details


Windows Defender Antivirus detects threat components as the following malware:

Shared malware and generic detections

Windows Defender Antivirus incorporates next-generation antivirus capabilities, including machine learning and behavioral detection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants. The detection names are listed here for reference, but related alerts are not actively monitored.

Shared malware and generic detections for malicious Office documents:

Shared malware and generic detections for malicious Win32 executables:

Endpoint detection and response (EDR)

Alerts with the following titles in the Windows Defender Security Center portal can indicate APT32/OceanLotus threat activity on your network:

  • DEV-0054 Malware
  • Malicious Document Containing KerrDown Malware
  • KerrDown Malware Downloader
  • DEV-0054 Malicious Document Exploiting CVE-2017-11882
  • DEV-0054 Malicious Document Exploiting CVE-2017-0199
  • DEV-0054 Malicious SFX File
  • DEV-0054 Malicious PNG File
  • DEV-0054 Malicious Document
  • Malicious DLL Component
  • DEV-0054 Malicious Document
  • JEShell Malware Downloader
  • Command-and-Control associated with DEV-0054
  • Malware URLs associated with DEV-0054

Alerts with the following titles in the Windows Defender Security Center portal may indicate threat activity on your network. Note that these alerts do not necessarily indicate APT32/OceanLotus activity but can be indicators of suspicious/malicious activities by other threat actors. Microsoft recommends customers to also investigate these alerts:

  • A malicious file was detected based on indication provided by O365
  • Malicious document detected
  • An uncommon file was created and added to a Run Key
  • An uncommon file was created and added to startup folder
  • Suspicious file in startup folder
Attack surface reduction rules

These rules can block or audit activity associated with this threat:

  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted
  • list criterion

MITRE ATT&CK techniques observed

  • T1193 Spearphishing Attachment
  • T1703 DLL Sideloading
  • T1060 Registry Run Keys / Startup Folder
  • T1053 Scheduled Task
  • T1009 Binary Padding