APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.   
Associated Group Descriptions
|Enterprise||T1017||Application Deployment Software|
|Enterprise||T1043||Commonly Used Port|
|Enterprise||T1094||Custom Command and Control Protocol||
APT32 uses Cobalt Strike's malleable C2 functionality to blend in with network traffic. The group's backdoor can also exfiltrate data by encoding it in the subdomain field of DNS packets. Additionally, one of the group's macOS backdoors implements a specific format for the C2 packet involving random values.
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).
|Enterprise||T1041||Exfiltration Over Command and Control Channel|
|Enterprise||T1203||Exploitation for Client Execution|
|Enterprise||T1068||Exploitation for Privilege Escalation|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1222||File and Directory Permissions Modification|
|Enterprise||T1158||Hidden Files and Directories|
|Enterprise||T1070||Indicator Removal on Host|
APT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name. They have also used by moving and renaming pubprn.vbs to a .txt file to avoid detection. Additionally, the group has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update.
|Enterprise||T1031||Modify Existing Service|
|Enterprise||T1046||Network Service Scanning|
|Enterprise||T1096||NTFS File Attributes|
|Enterprise||T1027||Obfuscated Files or Information||
APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.
|Enterprise||T1137||Office Application Startup|
|Enterprise||T1075||Pass the Hash|
|Enterprise||T1097||Pass the Ticket|
|Enterprise||T1060||Registry Run Keys / Startup Folder|
APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1018||Remote System Discovery|
|Enterprise||T1216||Signed Script Proxy Execution|
|Enterprise||T1071||Standard Application Layer Protocol||
|Enterprise||T1082||System Information Discovery||
APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server.
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1049||System Network Connections Discovery|
|Enterprise||T1033||System Owner/User Discovery|
APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.
|Enterprise||T1065||Uncommonly Used Port|
|Enterprise||T1077||Windows Admin Shares|
|Enterprise||T1047||Windows Management Instrumentation|
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
- Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
- Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved April 9, 2018.
- Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019.
- Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.