Dubbed Operation Cobalt Kitty, the APT targeted a global corporation based in Asia with the goal of stealing proprietary business information. The threat actor targeted the company’s top-level management by using spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments. During Operation Cobalt Kitty, the attackers compromised more than 40 PCs and servers, including the domain controller, file servers, Web application server and database server.
Want to hear about another high-impact operation? 
Forensic artifacts revealed that the attackers persisted on the network for at least a year before Cybereason was deployed. The adversary proved very adaptive and responded to company’s security measures by periodically changing tools, techniques and procedures (TTPs), allowing them to persist on the network for such an extensive period of time. Over 80 payloads and numerous domains were observed in this operation - all of which were undetected by traditional security products deployed in the company’s environment at the time of the attack.
The attackers arsenal consisted of modified publicly-available tools as well as six undocumented custom-built tools, which Cybereason considers the threat actor’s signature tools. Among these tools are two backdoors that exploited DLL sideloading attack in Microsoft, Google and Kaspersky applications. In addition, they developed a novel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data exfiltration.
Based on the tools, modus operandi and IOCs (indicators of compromise) observed in Operation Cobalt Kitty, Cybereason attributes this large-scale cyber espionage APT to the “OceanLotus Group” (which is also known as, APT-C-00, SeaLotus and APT32). For detailed information tying Operation Cobalt Kitty to the OceanLotus Group, please see our Attacker’s Arsenal and Threat Actor Profile sections.
Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group, which at the time of this report’s writing, had not been officially linked to this threat actor.
Finally, this report offers a rare glimpse into what a cyber espionage APT looks like "under-the-hood". Cybereason was able to monitor and detect the entire attack lifecycle, from infiltration to exfiltration and all the steps in between.
Our report contains the following detailed sections (PDF):
The following sections outline the four phases of the attack as observed by Cybereason’s analysts, who were called to investigate the environment after the company’s IT department suspected that their network was breached but could not trace the source.
Based on the forensic evidence collected from the environment, phase one was the continuation of the original attack that began about a year before Cybereason was deployed in the environment. During that phase, the threat actor operated a fileless PowerShell-based infrastructure, using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike, PowerSploit and Nishang.
The initial penetration vector was carried out by social engineering. Carefully selected group of employees received spear-phishing emails, containing either links to malicious sites or weaponized Word documents. These documents contained malicious macros that created persistence on the compromised machine using two scheduled tasks, whose purpose was to download secondary payloads (mainly Cobalt Strike Beacon):
Scheduled task 1: Downloads a COM scriptlet that redirects to Cobalt Strike payload:
