1. Home
  2. Groups
  3. APT32

APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

ID: G0050
Associated Groups: SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH
Contributors: Romain Dumont, ESET
Version: 3.0
Created: 14 December 2017
Last Modified: 17 April 2024

Associated Group Descriptions

Name Description
SeaLotus

[4]
OceanLotus

[1][2][4][5][6]
APT-C-00

[3][4][5][6]
Canvas Cyclone

[7]
BISMUTH

[7]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.[8]
Enterprise T1036 伪装

APT32 has disguised a Cobalt Strike beacon as a Flash Installer.[8]
.003 Rename System Utilities

APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.[9]
.004 Masquerade Task or Service

APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".[1]
.005 Match Legitimate Name or Location

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [8][10]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

APT32 has used pass the hash for lateral movement.[8]
.003 使用备用认证材料: Pass the Ticket

APT32 successfully gained remote access by using pass the ticket.[8]
Enterprise T1598 .003 信息钓鱼: Spearphishing Link

APT32 has used malicious links to direct users to web pages designed to harvest credentials.[10]
Enterprise T1112 修改注册表

APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [5]

Enterprise T1543 .003 创建或修改系统进程: Windows Service

APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.[3][8][5]
Enterprise T1137 办公应用启动

APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.[4][8]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[4][8][5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[4][8][5]
Enterprise T1059 命令与脚本解释器

APT32 has used COM scriptlets to download Cobalt Strike beacons.[8]

.001 PowerShell

APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[1][4][8]
.003 Windows Command Shell

APT32 has used cmd.exe for execution.[8]

.005 Visual Basic

APT32 has used macros, COM scriptlets, and VBS scripts.[4][8]

.007 JavaScript

APT32 has used JavaScript for drive-by downloads and C2 communications.[8][10]
Enterprise T1203 客户端执行漏洞利用

APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[5]
Enterprise T1071 .001 应用层协议: Web Protocols

APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.[2][8]
.003 应用层协议: Mail Protocols

APT32 has used email for C2 via an Office macro.[4][8]
Enterprise T1585 .001 建立账户: Social Media Accounts

APT32 has set up Facebook pages in tandem with fake websites.[10]
Enterprise T1560 归档收集数据

APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.[5]
Enterprise T1003 操作系统凭证转储

APT32 used GetPassword_x64 to harvest credentials.[4][8]
.001 LSASS Memory

APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.[4][8]
Enterprise T1589 收集受害者身份信息

APT32 has conducted targeted surveillance against activists and bloggers.[6]
.002 Email Addresses

APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.[6]
Enterprise T1083 文件和目录发现

APT32's backdoor possesses the capability to list files and directories on a machine. [5]

Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

APT32's macOS backdoor changes the permission of the file it wants to execute to 755.[11]
Enterprise T1608 .001 暂存能力: Upload Malware

APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.[10]
.004 暂存能力: Drive-by Target

APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.[10]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.[5]
Enterprise T1078 .003 有效账户: Local Accounts

APT32 has used legitimate local admin account credentials.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

APT32 has used Web shells to maintain access to victim websites.[2]
Enterprise T1552 .002 未加密凭证: Credentials in Registry

APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.[4][8]
Enterprise T1068 权限提升漏洞利用

APT32 has used CVE-2016-7255 to escalate privileges.[1]
Enterprise T1012 查询注册表

APT32's backdoor can query the Windows Registry to gather system information. [5]
Enterprise T1570 横向工具传输

APT32 has deployed tools after moving laterally using administrative accounts.[8]

Enterprise T1189 浏览器攻击

APT32 has infected victims by tricking them into visiting compromised watering hole websites.[3][10]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

APT32 includes garbage code to mislead anti-malware software and researchers.[3][5]
.010 混淆文件或信息: Command Obfuscation

APT32 has used the Invoke-Obfuscation framework to obfuscate their PowerShell.[1][12][8]
.011 混淆文件或信息: Fileless Storage

APT32's backdoor has stored its configuration in a registry key.[5]
.013 混淆文件或信息: Encrypted/Encoded File

APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[1][12][3][4][8][5][11]
Enterprise T1204 .001 用户执行: Malicious Link

APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.[8][10][6]
.002 用户执行: Malicious File

APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[3][4][5][13][6]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

APT32 has cleared select event log entries.[1]
.004 移除指标: File Deletion

APT32's macOS backdoor can receive a "delete" command.[11]
.006 移除指标: Timestomp

APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.[1][5][11]
Enterprise T1218 .005 系统二进制代理执行: Mshta

APT32 has used mshta.exe for code execution.[4][8]
.010 系统二进制代理执行: Regsvr32

APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.[5][1][8]

.011 系统二进制代理执行: Rundll32

APT32 malware has used rundll32.exe to execute an initial infection process.[8]
Enterprise T1082 系统信息发现

APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[3][5][11][13]
Enterprise T1033 系统所有者/用户发现

APT32 collected the victim's username and executed the whoami command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine. [13][3][8]
Enterprise T1569 .002 系统服务: Service Execution

APT32's backdoor has used Windows services as a way to execute its malicious payload. [5]
Enterprise T1049 系统网络连接发现

APT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine.[8]
Enterprise T1016 系统网络配置发现

APT32 used the ipconfig /all command to gather the IP address from the system.[8]
Enterprise T1216 .001 系统脚本代理执行: PubPrn

APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[14]
Enterprise T1135 网络共享发现

APT32 used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$.[8]
Enterprise T1102 网络服务

APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.[10]
Enterprise T1046 网络服务发现

APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.[8]
Enterprise T1583 .001 获取基础设施: Domains

APT32 has set up and operated websites to gather information and deliver malware.[10]
.006 获取基础设施: Web Services

APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.[10]
Enterprise T1588 .002 获取能力: Tool

APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.[1][4]
Enterprise T1087 .001 账号发现: Local Account

APT32 enumerated administrative users using the commands net localgroup administrators.[8]
Enterprise T1072 软件部署工具

APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1]
Enterprise T1105 输入工具传输

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[2]
Enterprise T1056 .001 输入捕获: Keylogging

APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.[8]
Enterprise T1055 进程注入

APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.[8]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[8]
Enterprise T1018 远程系统发现

APT32 has enumerated DC servers using the command net group "Domain Controllers" /domain. The group has also used the ping command.[8]
Enterprise T1041 通过C2信道渗出

APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[5]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.[3][4][8][5][13][6]
.002 钓鱼: Spearphishing Link

APT32 has sent spearphishing emails containing malicious links.[3][4][13][10][6]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

APT32's macOS backdoor hides the clientID file via a chflags function.[11]
.003 隐藏伪装: Hidden Window

APT32 has used the WindowStyle parameter to conceal PowerShell windows. [1] [8]
.004 隐藏伪装: NTFS File Attributes

APT32 used NTFS alternate data streams to hide their payloads.[8]
Enterprise T1571 非标准端口

An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[5]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

APT32 has used scheduled tasks to persist on victim systems.[1][4][8][5]

Software

ID Name References Techniques
S0099 Arp [8] 系统网络配置发现, 远程系统发现
S0154 Cobalt Strike [1][2][4][8][10][6][15] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0354 Denis [4][8] 劫持执行流, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 归档收集数据: Archive via Library, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Command Obfuscation, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 输入工具传输, 进程注入: Process Hollowing
S0477 Goopy [8] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: Mail Protocols, 本机API, 混淆文件或信息, 混淆文件或信息: Binary Padding, 移除指标: Clear Mailbox Data, 系统所有者/用户发现, 进程发现, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0100 ipconfig [8] 系统网络配置发现
S0585 Kerrdown [6][15] 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 混淆文件或信息, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 输入工具传输, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment
S0156 KOMPROGO [1] Windows管理规范, 命令与脚本解释器: Windows Command Shell, 系统信息发现
S0002 Mimikatz [1][4][8] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [8] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0108 netsh [8] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0352 OSX_OCEANLOTUS.D [16][6] 从本地系统获取数据, 伪装: Masquerade Task or Service, 伪装: Masquerade File Type, 共享模块, 创建或修改系统进程: Launch Agent, 创建或修改系统进程: Launch Daemon, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 归档收集数据: Archive via Library, 归档收集数据: Archive via Custom Method, 数据编码: Standard Encoding, 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 移除指标: Timestomp, 系统信息发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 输入工具传输, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 颠覆信任控制: Gatekeeper Bypass
S0158 PHOREAL [1] 修改注册表, 命令与脚本解释器: Windows Command Shell, 非应用层协议
S1078 RotaJakiro [17] 事件触发执行: Unix Shell Configuration Modification, 伪装: Match Legitimate Name or Location, 共享模块, 创建或修改系统进程: Systemd Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录初始化脚本, 启动或登录自动启动执行: XDG Autostart Entries, 数据编码: Standard Encoding, 本机API, 系统信息发现, 自动化收集, 进程发现, 进程间通信, 通过C2信道渗出, 非应用层协议, 非标准端口
S0157 SOUNDBITE [1] 修改注册表, 应用层协议: DNS, 应用窗口发现, 文件和目录发现, 系统信息发现
S0155 WINDSHIELD [1] 查询注册表, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 非应用层协议

References

  1. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  2. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  3. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  4. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  5. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  6. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  8. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  9. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved September 12, 2024.
  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  2. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  3. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  4. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  5. Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved September 12, 2024.
  6. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  7. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  8. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.