Vietnamese APT32 group is one of the most advanced APTs in the threat landscape

According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated.

The researcher compared the hacker group with the dreaded s Russia-linked Turla APT.

The APT32 has used both Windows and Mac malware in its campaign, the group devised sophisticated techniques to evade detection.

“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” continues the firm.

APT32 conducted a large-scale campaign powering watering hole attacks the involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

The attacks were surgical, the compromised websites only served malware to visitors who were on a whitelist. Victims have displayed a fake screen designed to trick them into authorizing a malicious Google app that could access their emails and contacts.

Other websites were used to deliver malicious code, including backdoors and custom malware.

Volexity published key findings of its analysis related to the last wave of attacks that are still ongoing:

• Massive digital profiling and information collection campaign via strategically compromised websites
• Over 100 websites of individuals and organizations tied to Government, Military, Human Rights, Civil Society, Media, State Oil Exploration, and more used to launch attacks around the globe
• Use of whitelists to target only specific individuals and organizations
• Custom Google Apps designed for gaining access to victim Gmail accounts to steal e-mail and contacts
• Strategic and targeted JavaScript delivery to modify the view of compromised websites to facilitate social engineering of visitors to install malware or provide access to e-mail accounts
• Large distributed attack infrastructure spanning numerous hosting providers and countries
• Numerous attacker created domains designed to mimic legitimate online services and organizations such as AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, Google, and others
• Heavy uses of Let’s Encrypt SSL/TLS certificates
• Use of multiple backdoors, such as Cobalt Strike and others, believed to be developed and solely used by OceanLotus

The APT32 has rapidly evolved and increased its capabilities, for this reason the experts consider this threat actor one of the most advanced in the current threat landscape.

“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT32, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]