Vietnam-linked APT group APT32, also known as OceanLotus and APT-C-00, carried out cyber espionage campaigns against Chinese entities to gather intelligence on the COVID-19 crisis.
The APT32 group has been active since at least 2012, it has targeted organizations across multiple industries and foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
According to FireEye, the nation-state hackers targeted the Wuhan Government and the Chinese Ministry of Emergency Management with spear-phishing attacks.
“From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis.” reads the report published by FireEye.
“While targeting of East Asia is consistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information,” FireEye points out.
The first attack spotted by the researchers took place on January 6, 2020, the attackers targeted the China’s Ministry of Emergency Management with messages using the subject 第一期办公设备招标结果报告 (translation: Report on the first quarter results of office equipment bids).
The content of the messages includes a tracking link containing the recipient’s email address, that allowed the attackers to determine whether the email was opened.
The experts discovered additional tracking URLs that revealed the nation-state actors targeted China’s Wuhan government and the Ministry of Emergency Management.
Experts noticed that the libjs.inquirerjs[.]com domain was already used in December as a C2 for a METALJACK phishing campaign targeting countries in South Asia.
APT32 attackers likely used COVID-19-themed attachments to infect systems of Chinese speaking targets. The attackers employed a version of the METALJACK loader displaying a COVID-19 decoy document having the filename written in Chinese. The document shows a copy of a New York Times article to the victim while launches the malicious payload.
“The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim’s computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.” continues the report.
The report includes technical details of the attacks such as Indicators of Compromise (IoCs) and the MITRE ATT&CK technique mapping.
“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict.” FireEye concludes.”National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports,”
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – Facebook, hacking)