A financial entity in Vietnam was the target of a previously undocumented threat actor named Lotus Street which was first detected in March 2023.
Singapore-based Group-IB described the hacking group as an advanced persistent threat group believed to be active since at least 2022.
The exact specifics of the infection chain still remain unknown, but it involves the use of various malicious artifacts that serve as a springboard for the next phase.
“Cybercriminals used methods such as sideloading DLLs and exchanging data via named pipes to execute malicious executables and create remotely scheduled tasks for lateral movement,” the company said.
Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with those of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This results from the use of malware such as PIPEDANCE for named pipe communication.
It is worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyberattack against an unnamed Vietnamese organization in late December 2022.
“This similarity suggests possible connections or inspirations with OceanLotus, however, the different target sectors make them likely to be different,” said Anastasia Tikhonova, Head of Threat Intelligence for APAC at Group-IB.
“Lotus Bane is actively engaged in attacks primarily targeting the banking sector in the APAC region. While the known attack occurred in Vietnam, the sophistication of their methods indicates the potential for broader geographic operations within APAC. The exact duration of their activity prior to this discovery is currently unclear, but ongoing investigations may shed light on their history.”
The development comes as financial organizations in Asia-Pacific (APAC), Europe, Latin America (LATAM) and North America have been the target of several advanced persistent threat groups such as Blind Eagle and Lazarus Group over the past year.
Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switching servers with the aim of infecting them with a custom malware called CAKETAP.
“This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and compares them with a set of predefined conditions,” Group-IB said. “If these conditions are met, the data is altered before being sent by the ATM server.”
UNC2891 and UNC1945 were previously described by Google-owned Mandiant in March 2022 as having implemented the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at multiple banks using fraudulent cards.
“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and objectives, highlight the complexity of protecting against financial cyber threats in today’s digital landscape.”