Connect with us

Hi, what are you looking for?



How APT32 Hacked a Global Asian Firm With Persistence

In a cyber intrusion dubbed Operation Cobalt Kitty, the OceanLotus hacking group — otherwise known as APT32 — played cat-and-mouse with a security firm that was tracking its every move.

In a cyber intrusion dubbed Operation Cobalt Kitty, the OceanLotus hacking group — otherwise known as APT32 — played cat-and-mouse with a security firm that was tracking its every move.

Cybereason (a Boston, Mass.-based provider of threat detection solutions) had been employed by a large global firm operating in Asia that suspected, but could not locate, a breach. The investigators found evidence of an ongoing intrusion by advanced hackers it recognized as the OceanLotus Group. Earlier this month, FireEye all but declared the group — designated by FireEye as APT32 – to be a Vietnamese nation-state actor. 

Cybereason’s investigation showed that this group had been inside the Asian firm for more than a year before it was discovered. Furthermore, the attacker took ongoing evasive action to retain its presence even though it almost certainly knew it had been detected.

During the investigation, Cybereason found more than 70 payloads and numerous domains. It discovered six custom-built tools that it considers to be the OceanLotus Group’s signature tools. FireEye’s report noted five such tools; but Cybereason also detected Backdoor.Win32.Denis, first described by Kaspersky just last month, which it now adds to the OceanLotus armory. Win32.Denis uses DNS tunneling for C&C communications.

APT32 Hacks Global firm in AsiaCybereason was able to uncover the entire lifecycle of the Cobalt Kitty operation. The attack started with targeted spear-phishing emails: one with a link to a fake Flash installer and another with an attached weaponized Office document. The Word document contained a malicious macro that creates persistence on the compromised machine using two scheduled tasks. In both cases, the end purpose was to download secondary payloads including Cobalt Strike Beacon.

The process is ‘fileless‘. Persistence is maintained through the Windows registry, services and scheduled tasks. A PowerShell script is used to fetch Cobalt Strike Beacon, which also operates in memory.

Cybereason reported its discoveries to the client, who then used both Windows Group Policy Object (GPO) and Cybereason’s execution prevention feature that prevents PowerShell execution. But the attacker didn’t give up — the group adapted, initially concentrating on its own custom and stealthy backdoors. It then resumed the PowerShell operation. “The attackers used a modified version of a publicly available tool called PSUnlock to bypass the PowerShell execution restrictions,” notes the report.

Cybereason suspects that the group were ready and prepared for this scenario. “The attackers’ remarkable ability to quickly adapt,” suggests Cybereason, “demonstrates their skill and familiarity with and command of the company’s internal network and its operations.” 

Advertisement. Scroll to continue reading.

The attacker also used DLL hijacking leveraging Windows Search, Google Update and Kaspersky’s Avpia to load fake DLLs containing malicious code. It used DNS tunneling for C2 communication and data exfiltration. “To ensure that the DNS traffic will not be filtered,” reports Cybereason, “the attackers configured the backdoor to communicate with Google and OpenDNS DNS servers, since most organizations and security products will not filter traffic to those two major DNS services.”

It also employed an innovative additional and difficult-to-detect C2 channel by installing a backdoor macro in Outlook. It was able to execute commands, deploy tools and steal data via email. The macro looks for incoming commands, deletes the relevant email, executes the discovered commands from the deleted items folder, and finally deletes all evidence of the emails sent or received from the attackers.

“This backdoor has not been publicly documented,” says Cybereason, “and is one of the most unique TTPs with regards to the threat actor. Outlook backdoors are not a new concept and have been observed in different APTs in the past. However, this specific type of Outlook backdoor can be considered as one of the ‘signature tools’ of the OceanLotus Group.”

Similar to the methodology attributed by FireEye to APT32, the group combined its custom backdoors with freely available tools; for example, using Mimikatz as the primary tool to obtain credentials and aid lateral movement.

Throughout the operation, the OceanLotus Group showed a preference for using and adapting such publicly available tools. “However, the attackers should not be considered script-kiddies,” says the report. “Most of the publicly available tools were either obfuscated, modified and even merged with other tools to evade antivirus detection. This type of customization requires good coding skills and understanding of how those tools work.”

Cybereason does not go as far as FireEye in suggesting that OceanLotus may be state-sponsored, but it describes the group as “determined and motivated… they never gave up, even when part of their attack infrastructure was exposed and shut down by the defenders.” It doesn’t name the victim firm, nor does it specifically tie the intrusion to Vietnamese interests. All that Cybereason would tell SecurityWeek is, “We can only specify that the attackers are targeting a global corporation in Asia.”

Nevertheless, a wider analysis of OceanLotus suggests that “Most of the samples caught in-the-wild seem to target Vietnamese speakers. Some of the samples exhibit clear evidence of targeting Vietnamese entities.”

As for the group itself, Operation Cobalt Kitty outlines attackers with “a remarkable ability to quickly adapt, introduce new tools and fine tune existing ones to bypass security solutions and avoid detection. The high number of payloads and the elaborate C2 infrastructure used in this attack can be indicative of the resources that the attackers had at their disposal. Simultaneously orchestrating multiple APT campaigns of such magnitude and sophistication takes time, financial resources and a large team who can support it.”

Cybereason closed a $25 million Series B funding round in May 2015, and quickly followed that with a $59 million Series C funding round in October 2015. Overall, the company has raised more than $88 million in funding.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...