Vietnam-linked Bismuth APT leverages coin miners to stay under the radar

Pierluigi Paganini December 01, 2020

Microsoft warns of Vietnam-linked Bismuth group that is deploying cryptocurrency miner while continues its cyberespionage campaigns

Researchers from Microsoft reported that the Vietnam-linked Bismuth group, aka OceanLotus, Cobalt Kitty, or APT32, is deploying cryptocurrency miners while continues its cyberespionage campaigns.

Cryptocurrency miners are typically associated with financially motivated attacks, but BISMUTH is attempting to take advantage of the low-priority alerts coin miners cause to establish persistence remaining under the radar.

The OceanLotus APT group is a state-sponsored group that has been active since at least 2013.

The hackers targeted organizations across multiple industries and have also hit foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The experts warn that nation-state actors are adopting TTPs associated with cybercrime gangs to make it hard the attack attribution.

The use of cryptocurrency miners was first observed by Microsoft this summer when the group deployed them in attacks against organizations in France and Vietnam.

“But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.” Microsoft said. “While this actor’s operational goals remained the same—establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks.”

According to Microsoft, the APT group started using the crypto-mining malware to trick the defense staff of the targets into believing their attacks are not highly targeted intrusions.

Experts also speculate that Bismuth hackers are exploring new ways of generating revenue from compromising systems.

In recent attacks, the kill chain starts with spear-phishing emails that were specially crafted for one specific recipient per target organization, a circumstance that suggests a deep knowledge of the targets that results from a prior reconnaissance. In some instances, the group even corresponded with the targets to convince them to open the malicious attachment.

Threat actors heavily use DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that it is loaded when the associated application is executed. 

“To perform DLL sideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender Antivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft Word 2007.” continues the report.


To deploy the coin miners, BISMUTH first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. Then the hackers used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service named after a common Virtual Machine process. Microsoft reported that each coin miner deployed by the group had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.

Experts pointed out that once deployed coin miners as part of a diversionary strategy, BISMUTH then focused much of its efforts on credential theft.

Microsoft 365 Defender Threat Intelligence Team with Microsoft Threat Intelligence Center (MSTIC) provided technical details of the attacks, includign MITRE ATT&CK techniques.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BISMUTH)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment