EXECUTIVE SUMMARY
Threat actors continue to target organizations across all sectors, regardless of size, with cyber espionage and intelligence-gathering motives. This includes non-profits and small organizations, particularly those engaged in sensitive work such as human rights advocacy. It reveals an intrusion into the network of a Vietnamese human rights defender. The intrusion, suspected to have been active, involved tactics and techniques commonly associated with APT32/OceanLotus, a group known for targeting individuals and organizations working on Vietnamese-related issues.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors continue to target organizations across all sectors, regardless of size, with cyber espionage and intelligence-gathering motives. This includes non-profits and small organizations, particularly those engaged in sensitive work such as human rights advocacy. It reveals an intrusion into the network of a Vietnamese human rights defender. The intrusion, suspected to have been active, involved tactics and techniques commonly associated with APT32/OceanLotus, a group known for targeting individuals and organizations working on Vietnamese-related issues.[emaillocker id="1283"]
The intrusion utilized a range of persistence mechanisms and evasion techniques to blend in with legitimate processes. It employed malicious scheduled tasks masquerading as Adobe Flash Updater and AdobeUpdateTaskUser, which involved Java Archive (JAR) files and shellcode concealed in benign file names. An MSSharePoint.vbs script facilitated authentication with a remote SFTP server for file downloads. The attack leveraged COM objects tied to the DllHost surrogate process and used legitimate DLLs like iisutil.dll for stealth. Host enumeration, privilege escalation, and credential theft, including Chrome cookies, were observed. Additionally, the threat exploited the calibre.exe executable, disguising it as legitimate processes and services, and linked it to a Cobalt Strike Team Server. A malicious Node.js executable running a compromised Node addon, process injection, steganography with PNG files, and DLL manipulation were employed to evade detection. Network traffic revealed connections to Cobalt Strike servers obscured by Cloudflare Load Balancers and specific service banners.
This incident highlights the sophisticated persistence techniques used by the attackers, including masquerading as legitimate services, injecting malicious code, and leveraging modified DLLs to bypass detection. The malware's use of steganography, custom encryption, and network infrastructure tied to Cobalt Strike points to an advanced persistent threat operation. The complexity of the attack suggests a well-resourced adversary with a focus on long-term access and data exfiltration. The overlap in techniques with previously documented APT campaigns like OceanLotus further underscores the importance of vigilance against such threats, particularly in environments where persistence mechanisms are used to maintain control over compromised systems.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Resource Development | T1583 | Acquire Infrastructure |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| T1053 | Scheduled Task/Job | |
| T1047 | Windows Management Instrumentation | |
| T1559 | Inter-Process Communication | |
| Persistence | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1546 | Event Triggered Execution |
| Defense Evasion | T1036 | Masquerading |
| T1027 | Obfuscated Files or Information | |
| T1134 | Access Token Manipulation | |
| T1055 | Process Injection | |
| T1218 | System Binary Proxy Execution | |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1033 | System Owner/User Discovery |
| T1087 | Account Discovery | |
| T1069 | Permission Groups Discovery | |
| T1018 | Remote System Discovery | |
| T1016 | System Network Configuration Discovery | |
| T1135 | Network Share Discovery | |
| T1049 | System Network Connections Discovery | |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1074 | Data Staged |
| Command and Control | T1105 | Ingress Tool Transfer |
| T1573 | Encrypted Channel | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1529 | System Shutdown/Reboot |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2024/08/vietnamese-human-rights-group-targeted.html