An advanced cyberattack targeting Vietnamese people’s human rights has been waging war against a non-profit organization for several years. Many types of malware have been installed on hacked systems as part of this attack.
Cybersecurity firm Huntress identified the campaign’s source as the threat group APT32, a Vietnamese-affiliated hacker group. They’re also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. Huntress claims that the onslaught has persisted for the last four years.
Researchers Jai Minton and Craig Sweeney of Huntress observed, “The methods used in this attack show clear similarities to techniques employed by APT32/OceanLotus, targeting the same demographic as their previous operations.”
Since it was founded in 2012, OceanLotus has been targeting corporate and governmental networks throughout East Asia, including main targets like Vietnam, the Philippines, Laos, and Cambodia. Theft of intellectual property and cyber espionage are usually among their goals.
The attack techniques use spear-phishing as a front door and backdoors that run arbitrary code and get private information. Since 2018, OceanLotus has been observed to infect websites using watering hole attacks by collecting user passwords or releasing reconnaissance payloads.
As shown in recent research by Huntress, the campaign exploited Windows Registry entries and scheduled processes on four distinct hosts. These changes made it easier for the backdoor, Cobalt Strike Beacons that permits Google Chrome cookies to be stolen from every user profile on the compromised systems, to be installed, and embedded DLL payloads were activated using loaders.
In related news, users in South Korea are currently dealing with a comparable threat. An ongoing campaign is using Microsoft Exchange server vulnerabilities and spear-phishing techniques to spread reverse shells, backdoors, and VNC malware. These tools provide attackers access to stored passwords in web browsers and allow them to take control of targeted workstations.
