T1195.001Compromise Software Dependencies and Development Tools
98%
“supply chain attack likely continues this strategy. although phishing emails are still a common initial infection method for oceanlotus, the group is also actively exploring new ways to compromise victims through diverse supply chain attacks. indicators of compromise additional i…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
91%
“byte key 3a7. it then searches the decrypted shellcode ’ s memory for the string policy. dllcppage. dll and replaces it with its own file name, terminate. dll, and redirects execution to the shellcode ’ s memory space. the shellcode employs a djb2 - like hash method to calculate …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
68%
“envir, passing the utf - 8 - encoded string xterminalunicod as a parameter. the dll acts as a dropper, delivering the final payload, zichatbot, and then self - deleting. at the end of the is _ color _ supported ( ) function, the unicode. py script file is also removed. these step…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
67%
“( c2 ) server, but instead uses a series of rest apis from the public team chat app zulip as its c2 infrastructure. to conceal the malicious package containing zichatbot, the attacker created another benign - looking package that included the malicious package as a dependency. ba…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071Application Layer Protocol
64%
“##svr. exe ( hash : 48be833b0b0ca1ad3cf99c66dc89c3f4 ). the dll contains several export functions, with the malicious code implemented in the cef _ api _ mash export. once the dll is loaded, this function is invoked by the exe file. zichatbot uses the rest apis from zulip, a publ…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT.