166.txt

OceanLotus New Combination Attack Leveraging Whitelisted File Persistence  
OceanLotus (APT-C-00), a state-backed overseas hacking group primarily targeting enterprises and government agencies in East Asian countries, has conducted cyberattacks against China since 2011. Since 360's initial exposure of this group in 2015, persistent attacks against China have continued, with 360 Advanced Threat Research Institute maintaining continuous monitoring of their latest activities. The group frequently employs DLL search order hijacking techniques (whitelist exploitation) to load malicious payloads through trusted executables like Windows Defender, Word, or system default files, often initiating attacks via remote services or scheduled tasks. High-frequency exploited whitelisted files include Kingsoft Antivirus components, Steam error reporting programs, and NetEase Cloud-related modules. Recent attack patterns show evolution from concentrated reuse of limited file types to distributed utilization of diverse file categories with renamed variants, enhancing evasion capabilities. New persistent attack methodologies involve compromising intranet management endpoints to establish SMB/RPC connections, collect network information (IP ranges, MAC addresses, hostnames), and deliver customized backdoors. Attackers replace legitimate service executables (e.g., GoogleUpdate.exe, Adobe armsvc.exe) with weaponized whitelisted files, triggering malicious payloads through native task schedules without modifying service configurations. This approach simulates legitimate software update processes to bypass security checks, achieving persistent residency without leaving remote connection traces. Compared to traditional methods relying on remote task initiation, this novel combination of whitelist exploitation and service hijacking demonstrates enhanced stealth and persistence capabilities.