APT32

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. [1] [2] [3]

ID: G0050
Contributors: Romain Dumont, ESET

Version: 2.0

Associated Group Descriptions

NameDescription
SeaLotus[6]
OceanLotus[1] [2][6]
APT-C-00[3][6]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryAPT32 enumerated administrative users and DC servers using the commands net localgroup administrators and net group "Domain Controllers" /domain.[4]
EnterpriseT1017Application Deployment SoftwareAPT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1]
EnterpriseT1009Binary PaddingAPT32 includes garbage code to mislead anti-malware software and researchers.[3][5]
EnterpriseT1059Command-Line InterfaceAPT32 has used cmd.exe for execution. [4]
EnterpriseT1043Commonly Used PortAPT32 has used port 80 for C2 communications.[6][4]
EnterpriseT1003Credential DumpingAPT32 used Mimikatz, GetPassword_x64, and customized versions of Windows Credential Dumper, HookChangePassword, and Outlook Credential Dumper to harvest credentials.[6][4]
EnterpriseT1094Custom Command and Control ProtocolAPT32 uses Cobalt Strike's malleable C2 functionality to blend in with network traffic. The group's backdoor can also exfiltrate data by encoding it in the subdomain field of DNS packets. Additionally, one of the group's macOS backdoors implements a specific format for the C2 packet involving random values.[1][7][4][5][8]
EnterpriseT1002Data CompressedAPT32's backdoor has used LZMA compression before exfiltration. [5]
EnterpriseT1022Data EncryptedAPT32 backdoors have encrypted data before exfiltration, including by using RC4 encryption.[5][8]
EnterpriseT1073DLL Side-LoadingAPT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[6][4][5]
EnterpriseT1189Drive-by CompromiseAPT32 has infected victims by tricking them into visiting compromised watering hole websites.[3]
EnterpriseT1041Exfiltration Over Command and Control ChannelAPT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[5]
EnterpriseT1203Exploitation for Client ExecutionAPT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[5]
EnterpriseT1068Exploitation for Privilege EscalationAPT32 has used CVE-2016-7255 to escalate privileges.[1]
EnterpriseT1083File and Directory DiscoveryAPT32's backdoor possesses the capability to list files and directories on a machine. [5]
EnterpriseT1107File DeletionAPT32's macOS backdoor can receive a “delete” command.[8]
EnterpriseT1222File Permissions ModificationAPT32's macOS backdoor changes the permission of the file it wants to execute to 755.[8]
EnterpriseT1158Hidden Files and DirectoriesAPT32's macOS backdoor hides the clientID file via a chflags function.[8]
EnterpriseT1070Indicator Removal on HostAPT32 has cleared select event log entries.[1]
EnterpriseT1036MasqueradingAPT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name. They have also used by moving and renaming pubprn.vbs to a .txt file to avoid detection. Additionally, the group has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update.[1][9][4]
EnterpriseT1031Modify Existing ServiceAPT32 modified Windows Services to ensure PowerShell scripts were loaded on the system.[4]
EnterpriseT1112Modify RegistryAPT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [5]
EnterpriseT1170MshtaAPT32 has used mshta.exe for code execution.[6][4]
EnterpriseT1046Network Service ScanningAPT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.[4]
EnterpriseT1050New ServiceAPT32 creates a Windows service to establish persistence.[3][4][5]
EnterpriseT1096NTFS File AttributesAPT32 used NTFS alternate data stream to hide their payloads.[4]
EnterpriseT1027Obfuscated Files or InformationAPT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[1][10][3][6][4][5][8]
EnterpriseT1137Office Application StartupAPT32 installed a backdoor macro in Microsoft Outlook for persistence.[6][4]
EnterpriseT1075Pass the HashAPT32 has used pass the hash for lateral movement.[4]
EnterpriseT1097Pass the TicketAPT32 successfully gained remote access by using pass the ticket.[4]
EnterpriseT1086PowerShellAPT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[1][6][4]
EnterpriseT1012Query RegistryAPT32's backdoor can query the Windows Registry to gather system information.[5]
EnterpriseT1060Registry Run Keys / Startup FolderAPT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[6][4][5]
EnterpriseT1117Regsvr32APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.[1][4][5]
EnterpriseT1105Remote File CopyAPT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[2][6]
EnterpriseT1018Remote System DiscoveryAPT32 used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$. APT32 also used the ping command.[4]
EnterpriseT1053Scheduled TaskAPT32 has used scheduled tasks to persist on victim systems.[1][6][4][5]
EnterpriseT1064ScriptingAPT32 has used macros, PowerShell scripts, COM scriptlets, and VBS scripts.[6][4]
EnterpriseT1035Service ExecutionAPT32's backdoor has used Windows services as a way to execute its malicious payload.[5]
EnterpriseT1216Signed Script Proxy ExecutionAPT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[11]
EnterpriseT1045Software PackingAPT32 uses UPX to pack their macOS backdoor.[8]
EnterpriseT1193Spearphishing AttachmentAPT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.[3][6][4][5]
EnterpriseT1192Spearphishing LinkAPT32 has sent spearphishing emails containing malicious links.[3][6]
EnterpriseT1071Standard Application Layer ProtocolAPT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used email for C2 via an Office macro. The group's backdoor can also exfiltrate data by encoding it in the subdomain field of DNS packets.[2][6][4][5]
EnterpriseT1082System Information DiscoveryAPT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server.[3][5][8]
EnterpriseT1016System Network Configuration DiscoveryAPT32 used the ipconfig /all command to gather the IP address from the system.[4]
EnterpriseT1049System Network Connections DiscoveryAPT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine.[4]
EnterpriseT1033System Owner/User DiscoveryAPT32 collected the victim's username and executed the whoami command on the victim's machine.[3][4]
EnterpriseT1099TimestompAPT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.[1][5][8]
EnterpriseT1065Uncommonly Used PortAPT32 backdoor can use HTTP over an uncommon TCP port (e.g 14146) which is specified in the backdoor configuration.[5]
EnterpriseT1204User ExecutionAPT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[3][6][5]
EnterpriseT1078Valid AccountsAPT32 has used legitimate local admin account credentials.[1]
EnterpriseT1100Web ShellAPT32 has used Web shells to maintain access to victim websites.[2]
EnterpriseT1077Windows Admin SharesAPT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[4]
EnterpriseT1047Windows Management InstrumentationAPT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.[4]

Software

IDNameReferencesTechniques
S0099Arp[4]System Network Configuration Discovery
S0154Cobalt Strike[1][2][6][4]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0354Denis[6][4]Command-Line Interface, Commonly Used Port, Data Compressed, Data Encoding, Deobfuscate/Decode Files or Information, DLL Side-Loading, File and Directory Discovery, File Deletion, Obfuscated Files or Information, Process Injection, Query Registry, Remote File Copy, Scripting, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0100ipconfig[4]System Network Configuration Discovery
S0156KOMPROGO[1]Command-Line Interface, System Information Discovery, Windows Management Instrumentation
S0002Mimikatz[1][6][4]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[4]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0108netsh[4]Connection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0352OSX_OCEANLOTUS.D[12]Command-Line Interface, Data Encrypted, File Deletion, Hidden Files and Directories, Launch Agent, Launch Daemon, Obfuscated Files or Information, Remote File Copy, Scripting, System Information Discovery
S0158PHOREAL[1]Command-Line Interface, Custom Command and Control Protocol, Modify Registry, Standard Non-Application Layer Protocol
S0157SOUNDBITE[1]Application Window Discovery, File and Directory Discovery, Modify Registry, Standard Application Layer Protocol, System Information Discovery
S0155WINDSHIELD[1]Custom Command and Control Protocol, File Deletion, Query Registry, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery

References