BRANDEFENSE BRANDEFENSE
  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Request a Demo
Login

BRANDEFENSE

  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Ocean Lotus APT Group (APT32)

Ocean Lotus APT Group (APT32)

BRANDEFENSE
APT Groups
22/08/2022
Download IoCs

Table of Contents

  • Threat Actor ID
  • Group’s Mission and Vision
  • Targeted Countries & Industries
  • Operations Performed by APT32
  • TTPs & Attack Lifecycle
  • Recommendations & Mitigations
  • Conclusion

Threat Actor ID

Country Vietnam
Sponsor State-sponsored
First Seen 2014
Motivation Information theft and espionage
Methods Watering Hole, Malware, Spearphishing
Other Names APT32 (Mandiant)

Ocean Lotus (SkyEye Labs)

Ocean Buffalo (Crowd Strike)

Tin Woodlawn (SecureWorks)

Group’s Mission and Vision

The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014. The primary motivation behind the attacks carried out by the Ocean Lotus group is information theft and espionage – given the private information sought to be obtained in the attacks and the high-profile individuals targeted.

The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.

Targeted Countries & Industries

The cyberespionage group Ocean Lotus, active since 2014, targets organizations in various industries in Vietnam and other Southeast Asian countries.

  • Indonesia,
  • Iran,
  • Japan,
  • Laos,
  • Malaysia,
  • Myanmar,
  • Nepal,
  • Netherlands,
  • Philippines,
  • Singapore,
  • South Korea,
  • Thailand,
  • UK,
  • USA,
  • Vietnam,
  • ASEAN,
  • Australia,
  • Bangladesh,
  • Brunei,
  • Cambodia,
  • China,
  • Denmark,
  • Germany,
  • India.
ocean lotus apt group apt32
Figure 1: Targeted countries
ocean lotus apt group apt32

Ocean Lotus targeted dissidents and journalists operating against Vietnam.

Ocean Lotus attempted to steal trade secrets by breaching the network security of automotive manufacturers BMW and Hyundai.

ocean lotus apt group apt32
ocean lotus apt group apt32

Ocean Lotus targeted the Chinese Ministry of Emergency Management and the Wuhan Municipal Government to obtain information on the COVID-19 pandemic.

Ocean Lotus compromised the mod.gov[.]kh domain of the Cambodia Ministry of Defense in its Watering Hole campaign.

ocean lotus apt group apt32
ocean lotus apt group apt32

Ocean Lotus used mobile malware to attack mobile devices and steal confidential personal information such as SMS, call logs, connections, geolocation, and browser logs

Various security vendors have reported that the Ocean Lotus group also has targeted finance, hospitality, and product sales sectors.

ocean lotus apt group apt32

Operations Performed by APT32

In 2016, Ocean Lotus was observed targeting a number of Vietnamese organizations with a watering hole attack. The group used a website that masqueraded as a site for Vietnamese students studying abroad. When visitors to the site attempted to register for an account, they were redirected to a malicious website that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.

In 2017, Ocean Lotus carried out a campaign against Vietnam’s National Assembly. The group sent spear phishing emails containing a link to a fake website that mimicked the National Assembly’s intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

In 2018, Ocean Lotus launched a successful campaign against Vietnam’s Ministry of Foreign Affairs. The group sent spear phishing emails containing a link to a fake website that mimicked the Ministry of Foreign Affairs intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

In 2019, Ocean Lotus was observed targeting a number of Vietnamese organizations with watering hole attacks. The group used websites that masqueraded as sites for Vietnamese students studying abroad. When visitors to the sites attempted to register for an account, they were redirected to malicious websites that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.

Ocean Lotus’ operations have continued into 2020. In February 2020, the group was observed targeting Vietnamese organizations with a phishing campaign. The group sent emails containing a link to a fake website that mimicked the login page for Google’s Gmail service. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

Ocean Lotus has been active for over eight years and shows no signs of slowing down. The group is skilled in carrying out sophisticated attacks and is considered a serious threat to organizations in Vietnam and other Southeast Asian countries.

TTPs & Attack Lifecycle

The techniques, tactics, and procedures used by the Ocean Lotus group to violate the security of the target system in their attacks help define the threat group’s characteristics and determine the countermeasures that can be taken. In addition, the information below will be helpful for an overview of how a typical attack lifecycle is performed with the software used by Ocean Lotus and for what purposes the tools are used.

Tactic Tactic ID Technique Technique ID
Initial Access TA0001 Drive-by Compromise

Phishing

•Spearphishing Attachment

•Spearphishing Link

Valid Accounts

•Local Accounts

T1189

T1566

T1566.001

T1566.002

T1078

T1078.003

Execution TA0002 Command and Scripting Interpreter

•JavaScript

•PowerShell

•Visual Basic

•Windows Command Shell

Exploitation for Client Execution

Scheduled Task/Job

•Scheduled Task

Software Deployment Tools

System Services

•Service Execution

•Malicious File

•Malicious Link

Windows Management Instrumentation

T1059

T1059.007

T1059.001

T1059.005

T1059.003

T1203

T1053

T1053.005

T1072

T1569

T1569.002

T1204.002

T1204.001

T1047

Persistence TA0003 Boot or Logon Autostart Execution

•Registry Run Keys / Startup Folder

Create or Modify System Process

•Windows Service

Hijack Execution Flow

•DLL Side-Loading

Office Application Startup

Server Software Component

•Web Shell

T1547

T1547.001

T1543

T1543.003

T1574

T1574.002

T1137

T1505

T1505.003

Privilege Escalation TA0004 Exploitation for Privilege Escalation

Process Injection

T1068

T1055

Defense Evasion TA0005 Hide Artifacts

•Hidden Files and Directories

•Hidden Window

•NTFS File Attributes

Indicator Removal on Host

•Clear Windows Event Logs

•File Deletion

•Timestomp

Masquerading

•Masquerade Task or Service

•Match Legitimate Name or Location

•Rename System Utilities

Modify Registry

Obfuscated Files or Information

•Binary Padding

System Binary Proxy Execution

•Mshta

•Regsvr32

•Rundll32

System Script Proxy Execution

•PubPrn

Use Alternate Authentication Material

•Pass the Hash

•Pass the Ticket

T1564

T1564.001

T1564.003

T1564.004

T1070

T1070.001

T1070.004

T1070.006

T1036

T1036.004

T1036.005

T1036.003

T1112

T1027

T1027.001

T1218

T1218.005

T1218.010

T1218.011

T1216

T1216.001

T1550

T1550.002

T1550.003

Credential Access TA0006 Input Capture

•Keylogging

OS Credential Dumping

•LSASS Memory

Unsecured Credentials

•Credentials in Registry

T1056

T1056.001

T1003

T1003.001

T1552

T1552.002

Discovery TA0007 Account Discovery

•Local Account

File and Directory Discovery

Network Service Discovery

Network Share Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

T1087

T1087.001

T1083

T1046

T1135

T1012

T1018

T1082

T1016

T1049

T1033

Tactic Tactic ID Technique Technique ID
Lateral Movement TA0008 Lateral Tool Transfer

Remote Services

•SMB/Windows Admin Shares

Software Deployment Tools

T1570

T1021

T1021.002

T1072

Collection TA0009 Archive Collected Data T1560
Command and Control TA0011 Application Layer Protocol

•Mail Protocols

•Web Protocols

Ingress Tool Transfer

Non-Standard Port

Web Service

T1071

T1071.003

T1071.001

T1105

T1571

T1102

Exfiltration TA0010 Exfiltration Over Alternative Protocol

•Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

T1048

T1048.003

T1041

ocean lotus apt group apt32
Figure 2: Attack Lifecycle Ocean Lotus / APT32

Recommendations & Mitigations

We have listed the steps to be taken in order to be protected from the threat and/or to minimize the possible damage according to the identified techniques, tactics, and procedures of the Ocean Lotus APT group.

Recommendations for Ocean Lotus APT Group

  • Use strong passwords and multi-factor authentication
  • Keep your software up to date
  • Install a reputable security suite
  • Be cautious when opening email attachments
  • Don’t click on links in emails from unknown senders
  • Avoid downloading pirated software or visiting illegal websites

Mitigations for Ocean Lotus APT Group

  • Use strong passwords and multi-factor authentication: This will help to protect your accounts from being compromised by password guessing or brute force attacks. Multi-factor authentication adds an extra layer of security by requiring another form of verification, such as a code sent to your mobile phone, in addition to your password.
  • Keep your software up to date: Outdated software can contain security vulnerabilities that can be exploited by attackers. By ensuring that your software is up to date, you can help to close these potential entry points.
  • Install a reputable security suite: A good security suite can provide protection against a wide range of threats, including viruses, malware, and phishing attacks.
  • Be cautious when opening email attachments: Email attachments may contain malicious code that can infect your computer. Before opening an attachment, make sure that you trust the sender and that you have scanned the attachment for viruses using reliable antivirus software.
  • Don’t click on links in emails from unknown senders: Emails from unknown or untrustworthy sources may contain malicious code/attachments.

Conclusion

Ocean Lotus is well-resourced and executes its attacks with precision and care. The group uses a variety of custom tools, which suggests a high level of technical capability. Additionally, the group appears to have significant financial resources, as evidenced by its use of 0-day exploits and ability to mount long-term operations.

Download IoCs
Share on Facebook Share on X
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • The Impact of Machine Learning on Enhancing Threat Detection
    The Impact of Machine Learning on Enhancing Threat Detection
  • The Future of AI in Cybersecurity: Benefits and Risks
    The Future of AI in Cybersecurity: Benefits and Risks
  • Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
    Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
  • What is Supply Chain Security?
    What is Supply Chain Security?
Ransomware Trends Report | Q2 2023
Ransomware Attack Trends in the Second Quarter of 2023
Report

Ransomware Attack Trends in the Second Quarter of 2023

Download Report
Follow us!

Continue Reading

Previous post

Detecting Phishing Emails

detecting phishing emails
a phishing campaign targeting hotels and travel companies detected
Next post

A Phishing Campaign Targeting Hotels and Travel Companies Detected

We know what hackers know about you

Our cyber threat intelligence and security research team is ready to help you.
image link

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Republic of Turkey:

Üniversiteler, 1605 Cd. Cyberpark Vakıf Binası Kat: -1 No: B25, 06800 Çankaya/Ankara

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
About the Partner ProgramBecome a Partner
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close