APT

Vietnam-linked Bismuth APT leverages coin miners to stay under the radar

Microsoft warns of Vietnam-linked Bismuth group that is deploying cryptocurrency miner while continues its cyberespionage campaigns

Researchers from Microsoft reported that the Vietnam-linked Bismuth group, aka OceanLotus, Cobalt Kitty, or APT32, is deploying cryptocurrency miners while continues its cyberespionage campaigns.

Cryptocurrency miners are typically associated with financially motivated attacks, but BISMUTH is attempting to take advantage of the low-priority alerts coin miners cause to establish persistence remaining under the radar.

The OceanLotus APT group is a state-sponsored group that has been active since at least 2013.

The hackers targeted organizations across multiple industries and have also hit foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The experts warn that nation-state actors are adopting TTPs associated with cybercrime gangs to make it hard the attack attribution.

The use of cryptocurrency miners was first observed by Microsoft this summer when the group deployed them in attacks against organizations in France and Vietnam.

“But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.” Microsoft said. “While this actor’s operational goals remained the same—establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks.”

According to Microsoft, the APT group started using the crypto-mining malware to trick the defense staff of the targets into believing their attacks are not highly targeted intrusions.

Experts also speculate that Bismuth hackers are exploring new ways of generating revenue from compromising systems.

In recent attacks, the kill chain starts with spear-phishing emails that were specially crafted for one specific recipient per target organization, a circumstance that suggests a deep knowledge of the targets that results from a prior reconnaissance. In some instances, the group even corresponded with the targets to convince them to open the malicious attachment.

Threat actors heavily use DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that it is loaded when the associated application is executed. 

“To perform DLL sideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender Antivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft Word 2007.” continues the report.

To deploy the coin miners, BISMUTH first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. Then the hackers used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service named after a common Virtual Machine process. Microsoft reported that each coin miner deployed by the group had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.

Experts pointed out that once deployed coin miners as part of a diversionary strategy, BISMUTH then focused much of its efforts on credential theft.

Microsoft 365 Defender Threat Intelligence Team with Microsoft Threat Intelligence Center (MSTIC) provided technical details of the attacks, includign MITRE ATT&CK techniques.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BISMUTH)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.