The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.
The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye.
FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.
According to the experts, the cyber attacks seemed to be assessing the victims’ adherence to Vietnamese regulations but the Vietnamese government denies its involvement.
“The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals,” said foreign ministry spokeswoman Le Thi Thu Hang. “All cyber-attacks or threats to cybersecurity, must be condemned and severely punished in accordance with regulations and laws.”
Back to the last wave of attacks, the APT32 hackers use phishing emails containing a weaponized attachment. It is interesting to note that the attachment is not a Word document, instead, it is an ActiveMime file containing an OLE file containing malicious macros.
Another element of innovation for this campaign is that attacker tracked the success of the phishing emails, using legitimate cloud-based email analytics. The phishing attachments contain an HTML image tags.
“When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist.” reads the analysis. “Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.”
The embedded macros create two scheduled tasks to gain persistence for the backdoors used by the hackers.
The first task executes the Squiblydoo application to enable the download of a backdoor from APT32 infrastructure. The second leads to a secondary backdoor delivered as a multi-stage PowerShell script configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.
APT32 threat actors regularly cleared select event log entries in order to conceal their operations, they also heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework.
The arsenal of APT32 includes a custom suite of backdoors such as Windshield, Komprogo, Soundbite, Phoreal, and Beacon.
FireEye warns of the increasing number of nation-state actors using cyber operations to gather intelligence.
“FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests,” Concluded FireEye. “As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.”
(Security Affairs – APT32, cyber espionage)