APT 032

Also known as: OceanLotus Group

Suspected attribution: Vietnam

Target sectors: Foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors

Overview: Recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business, manufacturing or preparing to invest in the country. While the specific motivation for this activity remains opaque, it could ultimately erode the competitive advantage of targeted organizations.

Associated malware: SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, KOMPROGO, OSX_OCEANLOTUS.D

Attack vectors: APT32 actors leverage ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file typically downloads multiple malicious payloads from a remote server. APT32 actors delivers the malicious attachments via spear phishing emails. Evidence has shown that some may have been sent via Gmail.

Latest findings (04th Apr 2018) show one of the quite rare OSX-malware being used by this group:

The MacOS backdoor was found in a malicious Word document presumably distributed via email. The document bears the filename “2018-PHIẾU  GHI  DANH  THAM  DỰ  TĨNH  HỘI HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.” The document claims to be a registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.