OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.

Category: / / / / / /

Share this with Your friends: