Analysis Summary

A Vietnam-based threat group, APT32 (OceanLotus Group) has been active since 2014. It is well-known for carrying out sophisticated attacks on a variety of private companies, journalists, foreign governments, and activists, with a major focus on Southeast Asian nations such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has utilized smart web breaches to compromise victims.

APT32 uses a unique suite of fully-featured malware in combination with commercially available tools to undertake targeted operations that are congruent with Vietnamese state interests. The APT32 attack includes irrelevant code to deceive security tools and go undetected. Threat actors behind this group appear to be well-resourced and supported since they employ a diverse collection of domains and IP addresses as command and control infrastructure.

Impact

• Espionage and Intellectual Theft
• Extrusion of Data

Indicators of Compromise

SHA1

• cf3fb8d112ad64216b3b0fec83deb0d19b5f8fd1
• 2f078f3ed2ce7e67e54c198edb2f9acc8afa236c
• d2e729c1ef43f777e2a0d1467d284f6041b9ec84
• 8524e3d0ada54957b5a12f87424a8358899f44b8
• a92ba87b1df475535a089fc3d2a3690aa1c59a6f
• 6083b1c3cdfc5dbc27010cc38d3d66c6ddcf0347
• c7a2684ec7dc6484655e8dfe5b184341c416a3e0
• 93708b635f11f182d5541274d0ac7b7d5baf3795
• 6a8d20cf325b766e69f6133b3a7325034b76948c
• 06adabcb962b5cf5d9fb63542518a5b80b5a9ad4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.