KerrDown is a new family of malware downloaders created and employed by the hacker group OceanLotus. Multiple attack campaigns have been linked to OceanLotus activities. Their targets have oftentimes been on a global scale, but most of the group's operations seem to be concentrated on the APAC region. The victims come from a wide range of industries, foreign governments, diplomatic agencies and entities connected to Vietnam. In fact, the latest campaign involving the KerrDown downloader has been targeting either entities from Vietnam or Vietnamese-speaking ones.
Two main attack vectors have been identified - through phishing emails carrying weaponized Word documents or by delivering RAR archives containing genuine apps with DLL side-loading.
When the victim executes the Word document, a message in Vietnamese asks them to enable macros. The macro checks the compromised system and determines which of two .dll files to deploy on it depending on whether it has a 32-bit architecture or a 64-bit one. The chosen DLL is then dropped in a predetermined location at 'Users\Administrator\AppData\Roaming\' as a file named 'main_background.png.'
The first step performed by the deployed by KerrDown is to retrieve the main malware payload, decrypt it through the use of the DES algorithm, and then execute it in memory immediately. This technique minimizes the footprint of the malware threats as only KerrDown is saved on the compromised system.
The payload delivered by KerrDown is a variant of a popular strain of malware called Cobalt Strike Beacon. OceanLotus has been deploying Cobalt Strike in several of their previous campaigns.
As for the KerrDown variants being propagated through RAR archives, the end goal is the same - delivery of Cobalt Strike Beacon, but the steps to get there differ significantly. First, the RAR files have names in Vietnamese that mean 'Complain letter' and contain a Microsoft Word document from an older version of Word. The document itself also has a Vietnamese name that, when translated, means 'Learn more about how to use your company.' The corrupted files of KerrDown are dropped through a DLL side-loading technique. The DLL then proceeds to follow a multi-step chain of shellcode commands, with each stage using various techniques to mask the subsequent step. The embedded Cobalt Strike Beacon DLL is finally loaded in memory and executed by the fourth shellcode in the sequence.