Also Known as: OceanLotus Group
First known appearance: 2014
Threat Actors: Vietnamese government (suspected)
Targets: Foreign companies investing in Vietnam’s
manufacturing, consumer products, consulting and hospitality sectors.
Objective: To gain advantage over global companies doing
business in Vietnam.
Overview: Recent activity targeting private interests in
Vietnam suggests that APT32 poses a threat to companies doing
business, manufacturing or preparing to invest in the country. While
the specific motivation for this activity remains opaque, it could
ultimately erode the competitive advantage of targeted organizations.
In addition to targeting of the private sector, this activity
represents a threat to civil society and the public sector worldwide.
Governments, journalists, and members of the Vietnam diaspora could
all be targeted. Although targeting of the military and defense
industrial base has not yet been identified, the extension of APT32
capabilities in that direction should be anticipated.
Associated malware: SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, KOMPROGO
Typical attack vectors: APT32 actors leverage ActiveMime files
that employ social engineering methods to entice the victim into
enabling macros. Upon execution, the initialized file typically
downloads multiple malicious payloads from a remote server. APT32
actors delivers the malicious attachments via spearphishing emails.
Evidence has shown that some may have been sent via Gmail.
APT32 actors design multilingual lure files that contain malicious
macros and are tailored to specific victims. These files are created
by exporting Word documents into single file web pages. Although the
files have “.doc” extensions, they are ActiveMime “.mht” web page
archives that contain text, images and macros.