Analysis Summary

A Vietnam-based threat group, APT32 (OceanLotus Group) has been active since 2014. It is well-known for carrying out sophisticated attacks on a variety of private companies, journalists, foreign governments, and activists, with a major focus on Southeast Asian nations such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has utilized smart web breaches to compromise victims.

APT32 uses a unique suite of fully-featured malware in combination with commercially available tools to undertake targeted operations that are congruent with Vietnamese state interests. The APT32 attack includes irrelevant code to deceive security tools and go undetected. Threat actors behind this group appear to be well-resourced and supported since they employ a diverse collection of domains and IP addresses as command and control infrastructure.

Impact

• Espionage and Intellectual Theft
• Extrusion of Data

Indicators of Compromise

MD5

• 1130f9ae901a1f54372cedfffce2bdeb
• 40bafa2cf3ce10f5a3ba1b080062d851

SHA-256

• f197ee22e964192080d6c5e2b4deff477da09f58aeb3d99c6fd4ecd038139b9d
• f6270624e606ec0768b6821cada234b8116df6d79c0a015409359dcbdaebf082

SHA-1

• 6e513fe2b3c646dabe891e8e645a49a2170a8c8b
• cb7d9e01a1222c4fcb9d0ecf31830b43510a7602

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.