Analysis Summary

A Vietnam-based threat group, APT32 (OceanLotus Group) has been active since 2014. It is well-known for carrying out sophisticated attacks on a variety of private companies, journalists, foreign governments, and activists, with a major focus on Southeast Asian nations such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has utilized smart web breaches to compromise victims.

APT32 uses a unique suite of fully-featured malware in combination with commercially available tools to undertake targeted operations that are congruent with Vietnamese state interests. The APT32 attack includes irrelevant code to deceive security tools and go undetected. Threat actors behind this group appear to be well-resourced and supported since they employ a diverse collection of domains and IP addresses as command and control infrastructure.

Impact

• Espionage and Intellectual Theft
• Extrusion of Data

Indicators of Compromise

IP

MD5

• 7d363df02814de0a9e72b51961fd00cf
• 9ad37ce054ca1523d26bb49fbc80dff6
• 9e328ff314e654189255289ca5165c09
• 4a2e2fe59c21cbefbbad3bb8d2852a44
• 78e3dec5e0f811f7e2e80b232e32a7d1
• 34001d0298d903033517f5783e574045
• aff6cae1b461c830f6cf0efe2364101d
• 9476ae68b01c0167254b3ec638e619b9

SHA-256

• 49d3777d0d02cd2a4d1c44313c72279fee1681c1e3566535f9117d17b274424b
• acf0fb4dac33e197de3a3e142eeaa7e5a892607424e8ea8708d49c65f3703d61
• 87bfce678855fa498d85b143beaf129f9bd468ebdcc1226b2ba39780a02f3d2e
• aac2cbd4cb119dec6c9a8c58f86b8bdd83d27fdaed85149bb2572599de9e32c0
• 6c959ea4fd3b4dcf8202237870e0782a18bfde05418157b42377c9475355d3ac
• 774c9181a53d08b245a71a2cf7f55c24c4dbc7fa5e4b7e0aa39f855c74c65e55
• ba27c022b5e81fc719ed3097f950bb3e7613dc2c8b9b2851bbb573f7c48ae286
• 6cb80b939b8de9f15726391f807b947951083da28c2647b8c8451021d559f7ee

SHA-1

• 0a240f1e2a7d1fbe4aebe0cbf0f8b3c8dd26bb6f
• edb84411b8f4a8adb71243c3119265fe5426ccdc
• f67c2d56b266a1e9d8e03ef51f500b361bd961b9
• 5b5c71dcbe37a4d10cd571fd2c3c58788be6c9c9
• 771a756ea6216b3c8a41d349c100a4fe831f087f
• b45cd95ccf32f8051afa589760fde5199feabdfb
• 9ca0628863cb77fea77f35bbbb7a5b1508a2efa7
• 161722489fae72cec9f6ef3b3b01ea1a67744a47

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Emails from unknown senders should always be treated with caution.
• Never open links or attachments from unknown senders.