APT32
Associated Group Descriptions |
|
Name | Description |
---|---|
SeaLotus | (Citation: Cybereason Oceanlotus May 2017) |
APT-C-00 | (Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
OceanLotus | (Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
Canvas Cyclone | (Citation: Microsoft Threat Actor Naming July 2023) |
BISMUTH | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT32 enumerated administrative users using the commands |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT32 has set up and operated websites to gather information and deliver malware.(Citation: Volexity Ocean Lotus November 2020) |
.006 | Acquire Infrastructure: Web Services |
APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017) |
.003 | Application Layer Protocol: Mail Protocols |
APT32 has used email for C2 via an Office macro.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
APT32 has used cmd.exe for execution.(Citation: Cybereason Cobalt Kitty 2017) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
APT32 has used macros, COM scriptlets, and VBS scripts.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
||
.007 | Command and Scripting Interpreter: JavaScript |
APT32 has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
APT32 has set up Facebook pages in tandem with fake websites.(Citation: Volexity Ocean Lotus November 2020) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.(Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
APT32's macOS backdoor changes the permission of the file it wants to execute to 755.(Citation: ESET OceanLotus macOS April 2019) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.(Citation: Amnesty Intl. Ocean Lotus February 2021) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
APT32's macOS backdoor hides the clientID file via a chflags function.(Citation: ESET OceanLotus macOS April 2019) |
.003 | Hide Artifacts: Hidden Window |
APT32 has used the WindowStyle parameter to conceal PowerShell windows. (Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017) |
||
.004 | Hide Artifacts: NTFS File Attributes |
APT32 used NTFS alternate data streams to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017) |
||
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
APT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017) |
.004 | Indicator Removal: File Deletion |
APT32's macOS backdoor can receive a “delete” command.(Citation: ESET OceanLotus macOS April 2019) |
||
.006 | Indicator Removal: Timestomp |
APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.(Citation: Cybereason Cobalt Kitty 2017) |
Enterprise | T1036 | .003 | Masquerading: Rename System Utilities |
APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.(Citation: Twitter ItsReallyNick APT32 pubprn Masquerade) |
.004 | Masquerading: Masquerade Task or Service |
APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".(Citation: FireEye APT32 May 2017) |
||
.005 | Masquerading: Match Legitimate Name or Location |
APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. (Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
APT32 includes garbage code to mislead anti-malware software and researchers.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019) |
.010 | Obfuscated Files or Information: Command Obfuscation |
APT32 has used the `Invoke-Obfuscation` framework to obfuscate their PowerShell.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: Cybereason Cobalt Kitty 2017) |
||
.011 | Obfuscated Files or Information: Fileless Storage |
APT32's backdoor has stored its configuration in a registry key.(Citation: ESET OceanLotus Mar 2019) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
.002 | Phishing: Spearphishing Link |
APT32 has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: FireEye APT32 April 2020)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
APT32 has used malicious links to direct users to web pages designed to harvest credentials.(Citation: Volexity Ocean Lotus November 2020) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT32 has used scheduled tasks to persist on victim systems.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT32 has used Web shells to maintain access to victim websites.(Citation: Volexity OceanLotus Nov 2017) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.(Citation: Volexity Ocean Lotus November 2020) |
.004 | Stage Capabilities: Drive-by Target |
APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.(Citation: Volexity Ocean Lotus November 2020) |
||
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
APT32 has used mshta.exe for code execution.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
.010 | System Binary Proxy Execution: Regsvr32 |
APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
||
.011 | System Binary Proxy Execution: Rundll32 |
APT32 malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitty 2017) |
||
Enterprise | T1216 | .001 | System Script Proxy Execution: PubPrn |
APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.(Citation: Twitter ItsReallyNick Status Update APT32 PubPrn) |
Enterprise | T1569 | .002 | System Services: Service Execution |
APT32's backdoor has used Windows services as a way to execute its malicious payload. (Citation: ESET OceanLotus Mar 2019) |
Enterprise | T1552 | .002 | Unsecured Credentials: Credentials in Registry |
APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
APT32 has used pass the hash for lateral movement.(Citation: Cybereason Cobalt Kitty 2017) |
.003 | Use Alternate Authentication Material: Pass the Ticket |
APT32 successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
.002 | User Execution: Malicious File |
APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
||
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
APT32 has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017) |
References
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
- Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
- Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved September 12, 2024.
- Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
- Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
- Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.