APT32

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, Phillipines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. [1] [2] [3]

ID: G0050
Aliases: APT32, OceanLotus Group, APT-C-00
Version: 1.0

Alias Descriptions

NameDescription
APT32[1] [2]
OceanLotus Group[1] [2]
APT-C-00[3]

Techniques Used

DomainIDNameUse
EnterpriseT1017Application Deployment SoftwareAPT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1]
EnterpriseT1009Binary PaddingAPT32 includes garbage code to mislead anti-malware software and researchers.[3]
EnterpriseT1094Custom Command and Control ProtocolAPT32 uses Cobalt Strike's malleable C2 functionality to blend in with network traffic.[1][4]
EnterpriseT1073DLL Side-LoadingAPT32 ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll.[3]
EnterpriseT1189Drive-by CompromiseAPT32 has infected victims by tricking them into visiting compromised watering hole websites.[3]
EnterpriseT1068Exploitation for Privilege EscalationAPT32 has used CVE-2016-7255 to escalate privileges.[1]
EnterpriseT1070Indicator Removal on HostAPT32 has cleared select event log entries.[1]
EnterpriseT1036MasqueradingAPT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name.[1]
EnterpriseT1050New ServiceAPT32 creates a Windows service to establish persistence.[3]
EnterpriseT1027Obfuscated Files or InformationAPT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation.[1][5][3]
EnterpriseT1086PowerShellAPT32 has used PowerShell-based tools and shellcode loaders for execution.[1]
EnterpriseT1117Regsvr32APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.[1]
EnterpriseT1105Remote File CopyAPT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[2]
EnterpriseT1053Scheduled TaskAPT32 has used scheduled tasks to persist on victim systems.[1]
EnterpriseT1216Signed Script Proxy ExecutionAPT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[6]
EnterpriseT1193Spearphishing AttachmentAPT32 sends emails to victims with a malicious executable disguised as a document or spreadsheet displaying a fake icon.[3]
EnterpriseT1071Standard Application Layer ProtocolAPT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks.[2]
EnterpriseT1082System Information DiscoveryAPT32 collects the OS version and computer name.[3]
EnterpriseT1033System Owner/User DiscoveryAPT32 collects the victim's username.[3]
EnterpriseT1099TimestompAPT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016.[1]
EnterpriseT1204User ExecutionAPT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[3]
EnterpriseT1078Valid AccountsAPT32 has used legitimate local admin account credentials.[1]
EnterpriseT1100Web ShellAPT32 has used Web shells to maintain access to victim websites.[2]

Software

IDNameTechniques
S0154Cobalt StrikeAccess Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0156KOMPROGOCommand-Line Interface, System Information Discovery, Windows Management Instrumentation
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0158PHOREALCommand-Line Interface, Custom Command and Control Protocol, Modify Registry, Standard Non-Application Layer Protocol
S0157SOUNDBITEApplication Window Discovery, File and Directory Discovery, Modify Registry, Standard Application Layer Protocol, System Information Discovery
S0155WINDSHIELDCustom Command and Control Protocol, File Deletion, Query Registry, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery

References