A monetary entity in Vietnam was the goal of a beforehand undocumented menace actor referred to as Lotus Bane as a part of a cyber assault that was first detected in March 2023.
Singapore-headquartered Group-IB described the hacking outfit as a complicated persistent menace group that is believed to have been lively since a minimum of 2022.
The precise specifics of the an infection chain stay unknown as but, nevertheless it entails using numerous malicious artifacts that function the stepping stone for the next-stage.
“The cybercriminals used strategies similar to DLL side-loading and information change through named pipes to run malicious executables and create distant scheduled duties for lateral motion,” the corporate mentioned.
Group-IB informed The Hacker Information that the methods utilized by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned menace actor also called APT32, Canvas Cyclone (previously Bismuth), and Cobalt Kitty. This stems from using malware like PIPEDANCE for named pipes communication.
It is value noting that PIPEDANCE was first documented by Elastic Safety Labs in February 2023 in reference to a cyber assault concentrating on an unnamed Vietnamese group in late December 2022.
“This similarity suggests potential connections with or inspirations from OceanLotus, nevertheless, the totally different goal industries make it probably that they’re totally different,” Anastasia Tikhonova, head of menace intelligence for APAC at Group-IB, mentioned.
“Lotus Bane is actively participating in assaults primarily concentrating on the banking sector within the APAC area. Though the identified assault was in Vietnam, the sophistication of their strategies signifies the potential for broader geographical operations inside APAC. The precise period of their exercise previous to this discovery is at present unclear, however ongoing investigations could shed extra mild on their historical past.”
The event comes as monetary organizations throughout Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the goal of a number of superior persistent menace teams similar to Blind Eagle and the Lazarus Group over the previous yr.
One other notable financially motivated menace group is UNC1945, which has been noticed concentrating on ATM change servers with the aim of infecting them with a customized malware referred to as CAKETAP.
“This malware intercepts information transmitted from the ATM server to the [Hardware Security Module] server and checks it towards a set of predefined circumstances,” Group-IB mentioned. “If these circumstances are met, the info is altered earlier than being despatched out from the ATM server.”
UNC2891 and UNC1945 have been beforehand detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris programs to intercept messages from an ATM switching community and carry out unauthorized money withdrawals at totally different banks utilizing fraudulent playing cards.
“The presence and actions of each Lotus Bane and UNC1945 within the APAC area spotlight the necessity for continued vigilance and strong cybersecurity measures,” Tikhonova mentioned. “These teams, with their distinct ways and targets, underline the complexity of defending towards monetary cyber threats in in the present day’s digital panorama.”
