Skip to content

G0050 APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.123

Item Value
ID G0050
Associated Names SeaLotus, OceanLotus, APT-C-00
Version 2.5
Created 14 December 2017
Last Modified 14 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
SeaLotus 4
OceanLotus 12456
APT-C-00 3456

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account APT32 enumerated administrative users using the commands net localgroup administrators.7
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains APT32 has set up and operated websites to gather information and deliver malware.8
enterprise T1583.006 Web Services APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.8
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.27
enterprise T1071.003 Mail Protocols APT32 has used email for C2 via an Office macro.47
enterprise T1560 Archive Collected Data APT32‘s backdoor has used LZMA compression and RC4 encryption before exfiltration.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.475
enterprise T1059 Command and Scripting Interpreter APT32 has used COM scriptlets to download Cobalt Strike beacons.7
enterprise T1059.001 PowerShell APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.147
enterprise T1059.003 Windows Command Shell APT32 has used cmd.exe for execution.7
enterprise T1059.005 Visual Basic APT32 has used macros, COM scriptlets, and VBS scripts.47
enterprise T1059.007 JavaScript APT32 has used JavaScript for drive-by downloads and C2 communications.78
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.375
enterprise T1189 Drive-by Compromise APT32 has infected victims by tricking them into visiting compromised watering hole websites.38
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts APT32 has set up Facebook pages in tandem with fake websites.8
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol APT32‘s backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.5
enterprise T1041 Exfiltration Over C2 Channel APT32‘s backdoor has exfiltrated data using the already opened channel with its C&C server.5
enterprise T1203 Exploitation for Client Execution APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)5
enterprise T1068 Exploitation for Privilege Escalation APT32 has used CVE-2016-7255 to escalate privileges.1
enterprise T1083 File and Directory Discovery APT32‘s backdoor possesses the capability to list files and directories on a machine. 5
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification APT32‘s macOS backdoor changes the permission of the file it wants to execute to 755.10
enterprise T1589 Gather Victim Identity Information APT32 has conducted targeted surveillance against activists and bloggers.6
enterprise T1589.002 Email Addresses APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.6
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories APT32‘s macOS backdoor hides the clientID file via a chflags function.10
enterprise T1564.003 Hidden Window APT32 has used the WindowStyle parameter to conceal PowerShell windows. 1 7
enterprise T1564.004 NTFS File Attributes APT32 used NTFS alternate data streams to hide their payloads.7
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).475
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs APT32 has cleared select event log entries.1
enterprise T1070.004 File Deletion APT32‘s macOS backdoor can receive a “delete” command.10
enterprise T1070.006 Timestomp APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.1510
enterprise T1105 Ingress Tool Transfer APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.7
enterprise T1570 Lateral Tool Transfer APT32 has deployed tools after moving laterally using administrative accounts.7
enterprise T1036 Masquerading APT32 has disguised a Cobalt Strike beacon as a Flash Installer.7
enterprise T1036.003 Rename System Utilities APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.9
enterprise T1036.004 Masquerade Task or Service APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name “install_flashplayer.exe”.1
enterprise T1036.005 Match Legitimate Name or Location APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. 78
enterprise T1112 Modify Registry APT32‘s backdoor has modified the Windows Registry to store the backdoor’s configuration. 5
enterprise T1046 Network Service Discovery APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.7
enterprise T1135 Network Share Discovery APT32 used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$.7
enterprise T1571 Non-Standard Port An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.5
enterprise T1027 Obfuscated Files or Information APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called “Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.112347510
enterprise T1027.001 Binary Padding APT32 includes garbage code to mislead anti-malware software and researchers.35
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.14
enterprise T1137 Office Application Startup APT32 have replaced Microsoft Outlook’s VbaProject.OTM file to install a backdoor macro for persistence.47
enterprise T1003 OS Credential Dumping APT32 used GetPassword_x64 to harvest credentials.47
enterprise T1003.001 LSASS Memory APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.47
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.3475116
enterprise T1566.002 Spearphishing Link APT32 has sent spearphishing emails containing malicious links.341186
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link APT32 has used malicious links to direct users to web pages designed to harvest credentials.8
enterprise T1055 Process Injection APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.7
enterprise T1012 Query Registry APT32‘s backdoor can query the Windows Registry to gather system information. 5
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares APT32 used Net to use Windows’ hidden network shares to copy their tools to remote machines for execution.7
enterprise T1018 Remote System Discovery APT32 has enumerated DC servers using the command net group “Domain Controllers” /domain. The group has also used the ping command.7
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT32 has used scheduled tasks to persist on victim systems.1475
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT32 has used Web shells to maintain access to victim websites.2
enterprise T1072 Software Deployment Tools APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.8
enterprise T1608.004 Drive-by Target APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.8
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta APT32 has used mshta.exe for code execution.47
enterprise T1218.010 Regsvr32 APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.517
enterprise T1218.011 Rundll32 APT32 malware has used rundll32.exe to execute an initial infection process.7
enterprise T1082 System Information Discovery APT32 has collected the OS version and computer name from victims. One of the group’s backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.351011
enterprise T1016 System Network Configuration Discovery APT32 used the ipconfig /all command to gather the IP address from the system.7
enterprise T1049 System Network Connections Discovery APT32 used the netstat -anpo tcp command to display TCP connections on the victim’s machine.7
enterprise T1033 System Owner/User Discovery APT32 collected the victim’s username and executed the whoami command on the victim’s machine. APT32 executed shellcode to collect the username on the victim’s machine. 1137
enterprise T1216 System Script Proxy Execution -
enterprise T1216.001 PubPrn APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.13
enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT32‘s backdoor has used Windows services as a way to execute its malicious payload. 5
enterprise T1552 Unsecured Credentials -
enterprise T1552.002 Credentials in Registry APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.47
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash APT32 has used pass the hash for lateral movement.7
enterprise T1550.003 Pass the Ticket APT32 successfully gained remote access by using pass the ticket.7
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.786
enterprise T1204.002 Malicious File APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.345116
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts APT32 has used legitimate local admin account credentials.1
enterprise T1102 Web Service APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.8
enterprise T1047 Windows Management Instrumentation APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.7

Software

ID Name References Techniques
S0099 Arp 7 Remote System Discovery System Network Configuration Discovery
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0354 Denis - DNS:Application Layer Protocol Archive via Library:Archive Collected Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information File and Directory Discovery Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Native API Obfuscated Files or Information Process Hollowing:Process Injection Query Registry System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Checks:Virtualization/Sandbox Evasion
S0477 Goopy - DNS:Application Layer Protocol Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel DLL Side-Loading:Hijack Execution Flow Disable or Modify Tools:Impair Defenses Indicator Removal on Host Match Legitimate Name or Location:Masquerading Native API Binary Padding:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Scheduled Task:Scheduled Task/Job System Owner/User Discovery
S0100 ipconfig - System Network Configuration Discovery
S0585 Kerrdown - Visual Basic:Command and Scripting Interpreter Deobfuscate/Decode Files or Information DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing System Information Discovery Malicious File:User Execution Malicious Link:User Execution
S0156 KOMPROGO - Windows Command Shell:Command and Scripting Interpreter System Information Discovery Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh - Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0352 OSX_OCEANLOTUS.D - Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Unix Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Launch Daemon:Create or Modify System Process Data from Local System Linux and Mac File and Directory Permissions Modification:File and Directory Permissions Modification Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal on Host Timestomp:Indicator Removal on Host Ingress Tool Transfer Masquerade Task or Service:Masquerading Software Packing:Obfuscated Files or Information Obfuscated Files or Information Gatekeeper Bypass:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Checks:Virtualization/Sandbox Evasion
S0158 PHOREAL - Windows Command Shell:Command and Scripting Interpreter Modify Registry Non-Application Layer Protocol
S0157 SOUNDBITE - DNS:Application Layer Protocol Application Window Discovery File and Directory Discovery Modify Registry System Information Discovery
S0155 WINDSHIELD - File Deletion:Indicator Removal on Host Non-Application Layer Protocol Query Registry System Information Discovery System Owner/User Discovery

References


  1. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  2. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. 

  3. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  4. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  5. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  6. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  7. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  8. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  9. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019. 

  10. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  11. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020. 

  12. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. 

  13. Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved April 9, 2018. 

  14. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  15. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

Back to top