Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs

Severity

High

Analysis Summary

Cyber espionage actors, aka APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially available tools, to conduct targeted operations that are aligned with Vietnamese state interests. In their current campaign, APT32 has leveraged files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver malicious attachments via spear-phishing emails. APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.DRV” file extensions, the recovered phishing lures were web page archives that contained text and images.

Impact

• Information Theft and Espionage
• Data exfiltration

Indicators of Compromise

Filename

• filter_installer_biz[.]dll
• Utility[.]dll

MD5

• 982a70a4b6f187e6c520167d6e4eef5f
• b326474919df109da20282d740b4601c

SHA-256

• 017273ca56c6fa882add0e92406412c838c4175702a81a8207a6e8f95ed388eb
• aa6bb826d76d76e84da8c91888425a4d42afe2cd7172d11aee2906a13db6aabf

SHA-1

• 41f16966ac517f0b8186aa6aa2dc63691397da44
• 0872f89df5f1f0a3986459072f9c3c8bd6c26cad

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/ attachments sent by unknown senders.