Introduction
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. FireEye APT32 May 2017 Volexity OceanLotus Nov 2017 ESET OceanLotus
Activities and Tactics
Targeted Sectors: Government, Media, Technology, Dissidents, Government, Administration, Journalist, Private sector, Civil society
Country of Origin: 🇻🇳 Vietnam
Risk Level: High
First Seen: 2012
Last Activity: 2024
Incident Type: Espionage
Suspected Victims: China, Germany, United States, Vietnam, Philippines, Association of Southeast Asian Nations
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1550.002 Pass the Hash
- T1036 Masquerading
- T1059.007 JavaScript
- T1047 Windows Management Instrumentation
- T1072 Software Deployment Tools
- T1570 Lateral Tool Transfer
- T1564.004 NTFS File Attributes
- T1552.002 Credentials in Registry
- T1055 Process Injection
- T1216.001 PubPrn
- T1566.001 Spearphishing Attachment
- T1135 Network Share Discovery
- T1033 System Owner/User Discovery
- T1571 Non-Standard Port
- T1082 System Information Discovery
- T1583.001 Domains
- T1012 Query Registry
- T1027.010 Command Obfuscation
- T1059.003 Windows Command Shell
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
- T1574.001 DLL
- T1566.002 Spearphishing Link
- T1598.003 Spearphishing Link
- T1087.001 Local Account
- T1059.001 PowerShell
- T1003.001 LSASS Memory
- T1046 Network Service Discovery
- T1608.004 Drive-by Target
- T1041 Exfiltration Over C2 Channel
- T1036.004 Masquerade Task or Service
- T1003 OS Credential Dumping
- T1078.003 Local Accounts
- T1589 Gather Victim Identity Information
- T1070.006 Timestomp
- T1189 Drive-by Compromise
- T1218.011 Rundll32
- T1059 Command and Scripting Interpreter
- T1112 Modify Registry
- T1071.003 Mail Protocols
- T1560 Archive Collected Data
- T1204.001 Malicious Link
- T1071.001 Web Protocols
- T1036.005 Match Legitimate Resource Name or Location
- T1070.004 File Deletion
- T1027.011 Fileless Storage
- T1105 Ingress Tool Transfer
- T1053.005 Scheduled Task
- T1036.003 Rename Legitimate Utilities
- T1543.003 Windows Service
- T1608.001 Upload Malware
- T1222.002 Linux and Mac Permissions
- T1569.002 Service Execution
- T1018 Remote System Discovery
- T1218.005 Mshta
- T1083 File and Directory Discovery
- T1685.005 Clear Windows Event Logs
- T1059.005 Visual Basic
- T1588.002 Tool
- T1021.002 SMB/Windows Admin Shares
- T1550.003 Pass the Ticket
- T1583.006 Web Services
- T1505.003 Web Shell
- T1564.001 Hidden Files and Directories
- T1016 System Network Configuration Discovery
- T1027.016 Junk Code Insertion
- T1049 System Network Connections Discovery
- T1564.003 Hidden Window
- T1027.013 Encrypted/Encoded File
- T1056.001 Keylogging
- T1589.002 Email Addresses
- T1218.010 Regsvr32
- T1068 Exploitation for Privilege Escalation
- T1585.001 Social Media Accounts
- T1137 Office Application Startup
- T1203 Exploitation for Client Execution
- T1204.002 Malicious File
- T1547.001 Registry Run Keys / Startup Folder
- T1102 Web Service
ATT&CK technique IDs (denormalized)
- T1003
- T1003.001
- T1012
- T1016
- T1018
- T1021.002
- T1027.010
- T1027.011
- T1027.013
- T1027.016
- T1033
- T1036
- T1036.003
- T1036.004
- T1036.005
- T1041
- T1046
- T1047
- T1048.003
- T1049
- T1053.005
- T1055
- T1056.001
- T1059
- T1059.001
- T1059.003
- T1059.005
- T1059.007
- T1068
- T1070.004
- T1070.006
- T1071.001
- T1071.003
- T1072
- T1078.003
- T1082
- T1083
- T1087.001
- T1102
- T1105
- T1112
- T1135
- T1137
- T1189
- T1203
- T1204.001
- T1204.002
- T1216.001
- T1218.005
- T1218.010
- T1218.011
- T1222.002
- T1505.003
- T1543.003
- T1547.001
- T1550.002
- T1550.003
- T1552.002
- T1560
- T1564.001
- T1564.003
- T1564.004
- T1566.001
- T1566.002
- T1569.002
- T1570
- T1571
- T1574.001
- T1583.001
- T1583.006
- T1585.001
- T1588.002
- T1589
- T1589.002
- T1598.003
- T1608.001
- T1608.004
- T1685.005
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 3 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- CrossRat
MITRE ATT&CK Software
- Mimikatz (S0002) — tool
- ipconfig (S0100) — tool
- Kerrdown (S0585) — malware
- Cobalt Strike (S0154) — malware
- SOUNDBITE (S0157) — malware
- OSX_OCEANLOTUS.D (S0352) — malware
- KOMPROGO (S0156) — malware
- netsh (S0108) — tool
- RotaJakiro (S1078) — malware
- PHOREAL (S0158) — malware
- Arp (S0099) — tool
- WINDSHIELD (S0155) — malware
- Denis (S0354) — malware
- Net (S0039) — tool
- Goopy (S0477) — malware
Attribution and Evidence
Country of Origin: Vietnam Additional attribution information pending cataloguing.
References
[1] mitre-attack [8] Amnesty Intl. Ocean Lotus February 2021 Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. [9] FireEye APT32 May 2017 Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. [10] Cybereason Oceanlotus May 2017 Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. [11] ESET OceanLotus Mar 2019 Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. [12] ESET OceanLotus Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. [13] Volexity OceanLotus Nov 2017 Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. [14] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.