Who Is APT32?

APT32 (AKA Ocean Lotus, APT-C-00, SeaLotus, and Cobalt Kitty) is a Vietnamese cyber military threat actor active since 2014 (or before) that targets various entities considered hostile to Vietnamese nationalist interests. APT32 targets foreign companies doing business in Vietnam, Vietnamese government critics, local and ex-pat Vietnamese human rights activists, and rival South East Asian foreign governments, especially the Philippines and Cambodia. APT32 attacks often coincide with important contract and legal negotiations between foreign companies and the Vietnamese government.

A Timeline of High-Profile Apt32 Activity

2014: Begins cyber campaigns targeting a Vietnamese security firm, foreign companies in Vietnam, and Vietnamese ex-pats

2016: Targets Filipino technology firms and a Chinese hospitality developer in Vietnam

2017: Targets Vietnamese citizens in Australia, the Filipino government, a local Vietnamese security firm, and a German corporation operating in Vietnam legally

2018–2020: Targets Vietnamese human rights activists, both local and abroad

2020: APT32 operations linked to a Vietnamese company named CyberOne Group

How APT32 Attacks Work

APT32 attacks utilize fully-featured and distinct yet less sophisticated collection malware and commercially-available tools to conduct cyber-espionage campaigns. APT32 attacks start via highly customized spear-phishing campaigns that include attached files with double extensions such as .doc.exe designed to trick victims into thinking they are opening an Office document when they are actually executing the APT32 portable executable (PE) payload. During its lengthy history, APT32 has also developed custom spyware toolkits capable of infecting and stealing information from macOS, Android, and Windows-based devices.

Common APT32 Tactics, Techniques, and Procedures (TT&P)

  • Hacking adversaries' websites to collect information and track their user base
  • Custom macOS malware that utilizes the double extension technique or malicious Office macros written in the Perl programming language
  • Using Facebook social networking to spread malware via social engineering attacks
  • Using the legitimate penetration testing tool Cobalt Strike as command and control (C2) spyware

Malware Strains Exclusive to or Closely Associated with APT32

METALJACK: a relatively new first-stage malware exclusive to APT32 first used in 2020 capable of starting the infection chain and loading second-stage malware

Denis (aka DenisRAT): first discovered in 2017, Denis can capture keystrokes, steal login credentials, take screenshots, steal sensitive information, download additional malware, and move laterally to infect other systems

Kerrdown: exclusive to APT32 and in use since 2018, Kerrdown is a downloader malware module used to install spyware

Windshield: a simple TCP-based backdoor remote access trojan (RAT) that interacts with the victim host's file system and exfiltrates system information, and stops host system processes

Komprogo: a backdoor RAT exclusive to APT32 that supports remote command execution, exfiltration of host system information, and executing Windows Management Instrumentation (WMI) queries

Soundbite: a full-featured RAT exclusively used by APT32 that can upload files and execute commands on infected hosts using DNS protocol for C2 operations

Signs of an APT32 Attack

IP addresses, domains, and payload hash signatures associated with previous APT32 attacks can block access to known APT32 payload hosts and C2 servers and help IT defensive IT security products identify potential APT attacks. However, APT32 attacks employ social engineering tactics to entice victims into opening malicious files or accessing malicious links. These attacks often use posted files in compressed formats such as zip archives that decompress into either Office documents or double extension executable files and URL-shortened links designed to mask the actual destination URL.

How to Prevent an APT32 Attack

The most effective way to prevent an APT32 attack is vigilant awareness about social engineering attacks that entice you to open files from untrusted sources. If you are engaged in activities that involve the Vietnamese government, you should be especially careful about any documents or links posted in public social networking forums. For corporate entities, both user awareness training to educate internal staff about proper procedures for assessing and handling documents and a full-fledged Defense-in-Depth-based cybersecurity program is the best way to prevent a successful APT32 attack.
Zero Trust Network Access (ZTNA) can prevent social engineering attacks. CylanceGATEWAY secures your network before a threat actor can gain access and begin moving laterally across it.