APT32: Vietnamese Hackers Target Foreign Corporations

Discussion in 'malware problems & news' started by itman, May 15, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    http://www.securityweek.com/apt32-vietnamese-hackers-target-foreign-corporations
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Note the Group Policy bypass to install a backdoor that was used to bypass PowerShell execution restrictions.
    http://www.securityweek.com/how-apt32-hacked-global-asian-firm-persistence
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hmm. Phishing emails, Word Macro's enough said
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Wouldn't get to confident on this one. Re-read the last paragraph.

    After mitigation methods were put in place after the phishing e-mail incident, the attacker launched another attack which I assume was a 0-day exploit to install a backdoor to bypass the mitigations.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It had to get the back door somehow. Looked like it dropped some dll's. I also saw mention of Outlook Macros. All office macros are off and should stay that way. I also have a few other defenses.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In this particular example, the backdoor was installed by the opening of the phished e-mail. Once the backdoor was installed, any further mitigation attempts were fruitless.

    The main point is once a backdoor is installed, it is game over - period. Backdoors can be installed by malware by any method malware itself can be installed. Additionally, hidden/forgotten backdoors can exist in the OS and application software. If malware can find these backdoors, they can be exploited.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Some additional info about APT32 per FireEye:
    https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

    Some additional info on the Denis backdoor from Kaspersky:
    https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/

     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  9. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    An Up-Close View of the Notorious APT32 Hacking Group in Action

    -- Tom
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yeah, I read the article last night.

    For those who "brush off" phished e-mail, note the following excerpt from the article:
    As we all know to well, "the brass" is your best phishing target since universally they personally never do anything to mitigate their security risks. But without hesitation, they will blame the IT dept. for their carelessness resulting in the firing of at least "one token sacrifice" which by the way is never the CIO since he is a treasured golfing buddy of the brass.
     
    Last edited: May 26, 2017
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Interesting... how did opening an email install something? (I didn't see any details in the report.)

    ----
    rich
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Per the above FireEye link:
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, that is different than just opening an email. The victim then has to open an attachment. It is a two-step attack.

    ----
    rich
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    In theory, so called "next gen AV's" should be able to block and detect these kind of malware attacks. Blocking is of course the most important thing, because detection is probably a lot harder. Cybereason said it became a cat and mouse game, so this says enough about how deeply APT32 was infiltrated into the network. Even when they were blocked, they managed to infect the system once again, this was clearly no child's play.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Leaked Trump-Duterte transcript linked to more sensitive documents, APT32
    https://www.scmagazine.com/vietname...d-to-sensitive-document-leaks/article/665471/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.