Group: APT32, OceanLotus Group
|APT32, OceanLotus Group|
|Aliases||APT32, OceanLotus Group|
APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.12
- Regsvr32 - APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.1
- Custom Command and Control Protocol - APT32 uses Cobalt Strike's malleable C2 functionality to blend in with network traffic.13
- Obfuscated Files or Information - APT32 has used the Invoke-Obfuscation framework to obfuscate their PowerShell.14
- Application Deployment Software - APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.1
- Masquerading - APT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name.1
- Signed Script Proxy Execution - APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.5
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
- Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.