Analysis Summary

A Vietnam-based threat group, APT32 (OceanLotus Group) has been active since 2014. It is well-known for carrying out sophisticated attacks on a variety of private companies, journalists, foreign governments, and activists, with a major focus on Southeast Asian nations such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has utilized smart web breaches to compromise victims. 

APT32 uses a unique suite of fully-featured malware in combination with commercially available tools to undertake targeted operations that are congruent with Vietnamese state interests. The APT32 attack includes irrelevant code to deceive security tools and go undetected. Threat actors behind this group appear to be well-resourced and supported since they employ a diverse collection of domains and IP addresses as command and control infrastructure.

Impact

• Espionage and Intellectual Theft
• Extrusion of Data

Indicators of Compromise

MD5

• 7359c60a8ca079c00f6cbe7556224ac5
• 901c15247f858aac0ef1240b834942a7

SHA-256

• 57fff03990c4eb45b4fdcaa8df0794658cf6e11fe4fd5011400758bd8cbc5a63
• e0b176aa8d4496adef17b4a698a84872b02ed13dd0ffab6a9f040b20578c07d2

SHA-1

• d16a4d6a63c030ff88b55d4fe37d63ed547b64b7
• 41808d250be2c08eb194b4b1d3293a8712f11ad1

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Emails from unknown senders should always be treated with caution.
• Never open links or attachments from unknown senders.