Warning: Lotus Bane Cyberattack Breaches Vietnam

A financial institution in Vietnam became the target of a previously unknown hacking collective, dubbed Lotus Bane. This group was identified by cybersecurity experts in March 2023, though it is believed to have been active since at least 2022. According to Group-IB, these perpetrators are aptly classified among Advanced Persistent Threat (APT) groups.

The precise infection chain within the Vietnamese company has not been fully reconstructed by researchers; however, it definitively involved various instances of malware that facilitated the subsequent stages of the attack.

To achieve their objectives, the hackers employed techniques such as DLL Sideloading, data exchange through named pipes, and the creation of remote scheduled tasks for lateral movement within the network.

CVE-2024-21410

Group-IB contends that the tactics utilized by Lotus Bane bear similarities to those employed by the group known as OceanLotus, also recognized as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. Notably, both groups made use of the malicious software PIPEDANCE for communication through named pipes, first documented by experts at Elastic Security Labs in February 2023.

The resemblance in methods might suggest a connection between Lotus Bane and OceanLotus, or merely imitation; however, the difference in target selection indicates that these groups are not identical.

Lotus Bane primarily launches attacks on the banking sector within the Asia-Pacific region. The complexity of their methods suggests the potential for broader geographical operations within the region. The exact duration of the group’s activity before its detection remains undisclosed.

Over the past year, financial organizations in the Asia-Pacific region, as well as in Europe, Latin America, and North America, have been targeted by several APT groups, including Blind Eagle and Lazarus. The group UNC1945 noted for attacks on ATMs using the specialized malware CakeTap, deserves special attention.

The activities of Lotus Bane and UNC1945 in the Asia-Pacific underscore the critical need for vigilant and evolving cybersecurity measures. The diversity of their tactics and objectives highlights the complexity of safeguarding against financial cyber threats in today’s digital landscape.