APT32 | APT Profile

Description

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

Techniques Used (TTPs)

T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1036 — Masquerading (defense-evasion)
T1059.007 — JavaScript (execution)
T1047 — Windows Management Instrumentation (execution)
T1072 — Software Deployment Tools (execution, lateral-movement)
T1570 — Lateral Tool Transfer (lateral-movement)
T1564.004 — NTFS File Attributes (defense-evasion)
T1552.002 — Credentials in Registry (credential-access)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1216.001 — PubPrn (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1135 — Network Share Discovery (discovery)
T1033 — System Owner/User Discovery (discovery)
T1571 — Non-Standard Port (command-and-control)
T1082 — System Information Discovery (discovery)
T1583.001 — Domains (resource-development)
T1012 — Query Registry (discovery)
T1027.010 — Command Obfuscation (defense-evasion)
T1059.003 — Windows Command Shell (execution)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1566.002 — Spearphishing Link (initial-access)
T1598.003 — Spearphishing Link (reconnaissance)
T1087.001 — Local Account (discovery)
T1059.001 — PowerShell (execution)
T1003.001 — LSASS Memory (credential-access)
T1046 — Network Service Discovery (discovery)
T1608.004 — Drive-by Target (resource-development)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1003 — OS Credential Dumping (credential-access)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1589 — Gather Victim Identity Information (reconnaissance)
T1070.006 — Timestomp (defense-evasion)
T1189 — Drive-by Compromise (initial-access)
T1218.011 — Rundll32 (defense-evasion)
T1059 — Command and Scripting Interpreter (execution)
T1112 — Modify Registry (defense-evasion, persistence)
T1071.003 — Mail Protocols (command-and-control)
T1560 — Archive Collected Data (collection)
T1204.001 — Malicious Link (execution)
T1071.001 — Web Protocols (command-and-control)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1070.004 — File Deletion (defense-evasion)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1027.011 — Fileless Storage (defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1036.003 — Rename Legitimate Utilities (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1608.001 — Upload Malware (resource-development)
T1222.002 — Linux and Mac File and Directory Permissions Modification (defense-evasion)
T1569.002 — Service Execution (execution)
T1018 — Remote System Discovery (discovery)
T1218.005 — Mshta (defense-evasion)
T1083 — File and Directory Discovery (discovery)
T1059.005 — Visual Basic (execution)
T1588.002 — Tool (resource-development)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1550.003 — Pass the Ticket (defense-evasion, lateral-movement)
T1583.006 — Web Services (resource-development)
T1505.003 — Web Shell (persistence)
T1564.001 — Hidden Files and Directories (defense-evasion)
T1016 — System Network Configuration Discovery (discovery)
T1027.016 — Junk Code Insertion (defense-evasion)
T1049 — System Network Connections Discovery (discovery)
T1564.003 — Hidden Window (defense-evasion)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1056.001 — Keylogging (collection, credential-access)
T1589.002 — Email Addresses (reconnaissance)
T1218.010 — Regsvr32 (defense-evasion)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1585.001 — Social Media Accounts (resource-development)
T1137 — Office Application Startup (persistence)
T1203 — Exploitation for Client Execution (execution)
T1204.002 — Malicious File (execution)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1102 — Web Service (command-and-control)

Total TTPs: 78

Malware & Tools

Malware: Cobalt Strike, Denis, Goopy, KOMPROGO, Kerrdown, OSX_OCEANLOTUS.D, PHOREAL, RotaJakiro, SOUNDBITE, WINDSHIELD

Tools: Arp, Mimikatz, Net, ipconfig, netsh

← Return to Home ← Back to APT Search