A Vietnam-linked threat actor tracked as APT32 is believed to have carried out intrusion campaigns against Chinese entities in an effort to collect intelligence on the COVID-19 crisis, FireEye reports.
A state-sponsored hacking group also known as OceanLotus and APT-C-00, APT32 is believed to be well-resourced and determined, and was previously observed targeting corporate and government organizations in Southeast Asia.
The most recent attacks associated with the group started with spear phishing messages sent to China’s Ministry of Emergency Management and to the government of Wuhan province, which is considered the epicenter of the current coronavirus pandemic.
“While targeting of East Asia is consistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information,” FireEye points out.
The first attack was observed on January 6, 2020, with an email sent to China’s Ministry of Emergency Management. The message included a tracking link containing the recipient’s email address, to inform the attackers if the email was opened.
Additional tracking URLs identified by FireEye revealed the targeting of China’s Wuhan government and of another email account associated with the Ministry of Emergency Management.
One domain used in the attack (libjs.inquirerjs[.]com) was employed in December 2019 as a command and control (C&C) domain for a METALJACK phishing campaign supposedly targeting Southeast Asian countries.
FireEye believes that APT32 used COVID-19-themed attachments against Chinese-speaking targets, and that these were designed to ultimately deliver a METALJACK loader to the victim’s machine.
While the payload was being loaded, a COVID-19 decoy document with the filename written in Chinese would be displayed, showing a copy of a New York Times article to the victim.
Shellcode loaded from an additional resource contains the METALJACK payload. The shellcode would fingerprint the victim’s system to collect computer name and username, and append them to a URL string. Successful attempts to call out to the URL would result in METALJACK being loaded into memory.
“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports,” FireEye concludes.
Related: Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection
Related: Google Sees Millions of COVID-19-Related Malicious Emails Daily
Related: Syrian Hackers Target Mobile Users With COVID-19 Lures
