Comprehensive Report: APT32 Malware, Attack Vectors, and Analysis

Verified

Added on 2022/09/01

AI Summary

This report provides an in-depth analysis of APT32, an advanced persistent threat (APT) group believed to be linked to the Vietnamese state, focusing on its operations, malware, and attack vectors. The report details APT32's targets, including foreign states and private companies, and how the group is attributed to the Vietnamese state. It identifies key malware used by APT32, such as WINDSHIELD, KOMPROGO, SOUNDBITE, PHOREAL, and BEACON (COBALT STRIKE), explaining their functionalities and how they facilitate system access and data exfiltration. The report also examines the attack vectors employed by APT32, including phishing, social engineering, and the use of malicious attachments, highlighting how the group exploits system vulnerabilities to achieve its objectives. Additionally, it outlines the group's operational strategies and tactics, drawing from real-world examples and research to illustrate the sophistication and impact of APT32's activities. The report emphasizes the importance of understanding APT32's methods to enhance cybersecurity measures and protect against future attacks.

Report on APT 32
NAME
COURSE
INSTITUTION

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Introduction
Advanced Persistent Threat (APT) is a security attack that is targeting networks in an
organization such as companies and states and they do stay inside the network system for longer
time in order to extract highly sensitive data in it. Most of such attacks are sponsored by large
organizations or even states. APT are very organized hackers and they will crack into the system
unnoticed and they will be working on monitoring all the operations of the organizations or
states and they will not quit until they get all the data they were aiming to fetch.in most cases
APT are hired by the competitors of a company or a country to spy on a company so that they
may get to identify the strategies and their plans and hence use the information to counter attack
them. The aim of this report is to analyze APT32. It is covering all the information related to
APT32; whom it is attributed to, types of malware used in APT and the working of the APT.
(a) Who is APT32 attributed to and how was this information determined?
APT32 is a group of hackers who are believed to be linked to Vietnamese state and they are
espionage on the secrets of foreign states and some private companies. They are a group of
highly trained hackers who use highly sophisticated software to get access into the system and
spy on all the activities inside the company or state without being noticed. APT32 are believed to
be using malware which cannot be easily identified as intruders in a network. This attack on
network is a dangerous attack and it can lead to big loss of data in a company or state. They
cannot be easily traced to their origin and this will leave them operating freely in the globe.
APT32 do attack a network quietly without being noticed and there rise a question, how is the
information about APT32 determined? According to the research done by the FireEye, their
intelligence team including FireEye as Service (FaaS), FireEye isight intelligence and FireEye

product engineering, they managed to unmask the operations of the APT32 which targeted the
private sector company operations in Southeast Asia (Carr, 2017).
(b) Who is the APT32 targeted towards and how was the information determined?
There are some cases of cases that have been reported on attacks by use of malware which have
been traced to belonging to APT32 group which has the nickname OceanLotus. This group of
hackers started to engage in their operations in 2012 and since then, many cases of their malware
attacks have been reported locally and also internationally. FireEye which is an organization
which was established to protect the community against attacks from APT32 has been working
with its intelligence team and they have found below cases to have been linked to APT32. The
attacks were aimed at manufacturing sectors, security networks, media, consumer products,
banking, information infrastructure and hospitality industries which have interests in extending
their operations into Vietnam. These attacks were very specific to targeting those companies and
corporations which were interested in extending their business into Vietnam territories. APT32
also have interest in political and foreign governments (Carr, 2017).
According to the security intelligence from agencies such as FireEye, they have been constantly
investigating cases of security threats to their clients and they found out that their clients had
been constantly been attacked by APT32 and the reason or motive behind the attack has not been
clearly stated because there are no traces of the motives or leads to them. However, according to
the hypotheses on the APT32 attacks, it was established that all the targets had projects or issues
with the Vietnam state. This leaves a lot of questions unanswered on why and how could
Vietnam engage such notorious group of attackers to access information? The information about
APT32 was found from deep analysis and investigation on the systems of the attacked targets.

What types of malware are part of the APT32 and what does each malware do?
Malware is a software designed by cyber attackers mainly to launch attacks on the computers,
servers, clients and computer networks. APT32 have their highly sophisticated malwares with
ever evolving technology due to the constant improvement in technology. They are known for
using phishing method in launching their attacks such as malicious emails, links and documents
which upon clicked by the user in any organization, state or company, there will launch their
malwares and get access into a system and may take full control of it or stay hidden but
watching on the operations inside the system.
There are some malwares which have been constantly been used by the APT32 group in their
attacks, these are WINDSHIELD, KOMPROGO, SOUNDBITE, BEACON and PHOREAL
software. These malwares are very complex and organized malwares such that they will exploit
any weakness in the system of the victim and get access into it without being noticed by the
employees (Rauti & Leppänen, 2017).
WINSHIELD
When phishing has gone through successfully, APT32 uses WINDSHIELD to attack the victim
in a very unique way whereby the victim can never notice. The main reasons why they use this
malware in most instances is because of the reason below;
It has been established that WINDSHIELD malware has command and control protocol (C2)
communications through Transmission Control Protocol raw sockets. It also has four configured
command and control whereby it is randomly chosen therefore enhances the speed of its
operation during an attack. The other feature of WINDSHIELD malware is that it has the
capability to control the registry and give access to the intruder. This malware can also gather all

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

the information about the victim, execute files in the system to facilitate interaction, terminate
the process in operation and it also has anti- disassembly tools. WINDSHILED malware is very
powerful and due to its feature it is capable of taking full control of a system without being
noticed by the victims.
KOMPROGO
KOMROGO is a malware that is fully packaged with features to give it ability to get into a
system using backdoor processes through file and registry management module in the system.
KOMPROGO has capabilities of facilitating file transfer from the system of the victim to those
of the attackers. It has a unique feature which can run their own window Management
Instrumentation commands to carry out their mission in the system. Sometimes, it can be used to
retrieve information from an infected system. APT32 utilizes this malware when attacking a
corporation.
SOUNDBITE
This is another malware with almost similar capabilities a WINDSHIELD. This uses the
command and control communication through Domain Name System. It can also create a
process upon activated and also upload files in a system when required. This malware also has a
features of shell command execution. It is also capable to manipulate files and directories and
registry and finally gather and organize all the information in the system.
PHOREAL
This malware uses control and command communication through Internet Control Message
Protocol in the system. It has the capability to create and manipulate reverse shell, file system
and registry hence giving an access point for the intruder into a system. An intruder into a system

can also use this malware to create a process in the system and terminate when it is complete.
This malware also gives the intruder the permission to upload files inside the system and
therefore all the mandate in the system is shared by the intruder and the administrator of the
system. It is a dangerous malware to the victims and it can facilitate a total damage in the system
by the intruder(s). APT32 team has been using this malware to get access into and taking control
of a system of the target.
BEACON (COBALT STRIKE)
BEACON is a malware which is easily blending into a system and monitor all the operations in
the system and sometimes it may alter the way those operations are done to suit their motives. It
has some capabilities which enable it to carry out all the activities required by the attacker in the
system. An example of such capabilities is that it can publicly avail payload that can inject and
execute an arbitrary code into a process in a system. This codes are the ones which give mandate
and permission to attackers inside a system. It can also mimic the security setting of the users in
the system hence they cannot be easily noticed and they can now carry out their target missions
and aims of their attack. Moreover, it can import Kerberos tickets into the system which allow
the attackers to conveniently communicate in a secure manner. This is the only malware that can
upload and download files in a system of the target. APT32 utilizes this malware whenever they
are carrying out an attack to access and download data from the target.
What are the attack vectors of the APT32 and why were these specific attack vectors
chosen?

Attack vectors are various mean which attackers use in order to gain access into a system or
network with a malicious intention(s) in it. APT32 is a very “smart” group in technology and
therefore before they attacked their targets, they would analyze all the vulnerabilities and
weaknesses of them and they would find the most suitable attack vectors to use in order to
achieve their motives unnoticed by the target. Although, their motives have never been
established, the common reasons for their attack could be to gain access to sensitive data, the
personal identities of the system users and also to find intelligence information. APT32 may
have use attack vectors to monitor the operations of the target industries (Carr, 2017).
Examples of some possible attack vectors include malwares, viruses, email attachments and web
pages. They have intensively leveraged ActiveMines which employ social engineering means to
entice the targets to enable the macros in the system. When a user who had been targeted enable
the macros, the APT32 team prepare and downloads of malicious payloads and thereafter
employs the use of malware and thereafter, they use phishing lures to the target while they have
full access into the system or network. Many Novel techniques help the track the operation and
activations of the phishing among the targets. When phishing lure has successfully finished, it
launches one or more malwares depending on their motives, they can use up to four malwares in
an attack. These malwares include WINDSHIELD, PHOREAL, KAMPROGO, SOUNDBITE
and BEACON.
APT32 actors are well organized such that they can take a very short period of time in order to
get access into the system network and carry out their motives. They appear to have all the
necessary resources to carry out an attack in the context that they have large domain and IP
addresses as their command and control infrastructure in their operations. They have well

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

established and organized resources such that whenever they carry an attack, they come out
successfully without being noticed by the victims.
Description and working of APT32
According to the Cybereason report on APT32 hacking group, it indicates that in 2016, the group
had been hiding inside the target system for almost a year and they had been espionage on them
in all the activities they undertook without interfering majorly on them. However, they were
found by the Cybereason and their operations were terminated almost immediately. The client
had all the necessary security measures in the system but APT32 got a way into the system. It is
very disturbing to the security providers to be defeated to prevent the attack from this group
because however the measures in place they are determined to find a way into the system. They
are equipped with knowledge and tools related to hacking the systems and at all costs they must
find a way into the target system. They search and analyze all security details of the target and as
discussed earlier, they use highly sophisticated malwares to get access in to the system using
backdoor in the system. They have no fears for the big players in the technology sector such as
Russia and China, there have been cases of APT32 attacks on some Chinese corporations more
than once and in all case, they managed to achieve their motives without being noticed. The only
time they realized that they had been attacked was after they either lost some data or they detect
an open backdoor in their systems (Carr, 2017).
Many victims who have been attacked have felt a hollow gap in their security docket because
they could never understand how this group from nowhere get access to system and did their
things and left unnoticed. This made them hire big players in the security service intelligence
such as FireEye and Cybereason. These service providers managed to investigate and analyze
this team but they have never found out their motives, they only link to the Vietnamese

government with a reasoning that al the attacks had been directed to companies, governments,
organizations and other partisans who had some issues or intended to start projects in Vietnam.
There is an endless research on the APT32 group of attackers and it may never end soon simply
because they take long-term advantage of an existing gap in the security systems and their
motives are never predictable to the investigators. FireEye are very keen in following up on leads
to this APT32. The companies have been warned to take precautions on how they interact with
add and other phishing lures which might be used by APT32.
Timeline of the APT32
In 2014, there were two cases of attacks by the APT32 using WINDSHIELD malware. The first
case was in network security in Vietnam and the other one was an attack in a European
manufacturing industry. These industries were aiming at extending their services and products to
Vietnamese. There was also an attack on dissidents who wanted to protest against Vietnam by
the Vietnamese diaspora in Southeast Asia. They sent a phishing document entitles “Plans to
crackdown on protesters at the Embassy of Vietnam.exe”. They also carried out interruption in
other countries legislature.
In 2015, there was only one attack which was targeted to the Vietnamese Media Corporation. It
is thought that there must have been a story investigated by the media corporation which created
discomfort or threat to the APT32 team. There was also a report from Chinese security firm that
the similar malware as used by the APT32 and indicated they were targeting the private and
public sectors in China
In 2016, APT32 increased its operations and attacked six industries using four different
malwares, these are WINDSHIELD, PHOREAL, BEACON and SOUNDBITE. APT32 launched

attacks on Vietnamese Banking industry using WINDSHIELD malware, they also attacked the
consumer products industry which belonged to Philippines, and here they used four malwares,
these were KOMPROGO, WINDSHELD, BEACON and SOUNBITE, they later attacked the
Chinese hospitality industry by using WINDSHIELD malware. APT32 also returned to the
Vietnamese Media and attacked it using the same malware (WINDSHIELD). The final attack by
the APT32 that year was the attack on the consumer products industry using four malware which
were WINDSHIELD, PHOREAL, BEACON and SOUNDBITE malwares.
In 2017, there was social engineering content in lures which was used by APT32 to target the
Vietnamese in diaspora in Australia and the government employees in Philippines too.
Moreover, FireEye also established that APT32 also had their attacks targeted on local and
foreign governments seeking attention in political inspiration from them. According to the facts
provided by FireEye, APT32 are believed to have started their attacks since 2013. Their
malwares were found to have been used in the security attacks on Vietnamese journalists and
insurgents as well as foreign governments. The motives of this group of hackers are not yet
known and there are nothing they leave behind their attack on this (Carr, 2017).
Forensics on APT32
There are a lot of forensics in the scene wherever APT32 attacks. FireEye analyzed all the cases
of attacks and found out all the evidence linking to APT32 and therefore there is no doubt that
they are working day and night to ensure that they meet their motives.
In 2017, there was an attack on the Cylance system. The investigating team found a lot of
backdoors which were left behind by APT32 as well as the attack vector which was used by the
attackers. Such malware are very complex and are known to be used by APT32. The malware

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

which was used in this case was BEACON. These malwares are highly sophisticated and they
leave several backdoors in the network system of the organization. They use phishing to lure
targeted victims through mails and popups while they are browsing and if they fall into their trap
they therefore give access to this team of hackers who seize the opportunity to launch their
malwares and attack the whole system (Rauti & Leppänen, 2017).
APT32 uses very adaptive techniques and users of the systems who may end up being victims
may never know. In some cases APT32 was found to be using CV-2016-7255 camouflaged as
Windows hotfix. This may not be noticed by many users. They use much hidden characters to
help visually facade their malwares in the systems of the target. These malware are hidden in the
common features of the system and if the users are not careful, they may miss to differentiate
them from the real features of the system.
However, there is a caution by the security agencies to all organizations, states and companies to
be watchful and careful on the popups and malicious documents which lure them to download
and there after brings them a lot of problems in their systems or networks. It is never real until
one is attacked and they will feel that they are very exposed inside the system and they may lose
their private identification details and they may even be robbed their money in credit cards and
other means such as ATMs. APT32 are very cunning and they can camouflage very successfully
in ones’ PC or system and steal important information from them.

References
Carr, N. (2017). Cyber Espionage is Alive and Well: APT32 and the Threat to Global
Corporations. FireEye.
Rauti, S., & Leppänen, V. (2017, March). A survey on fake entities as a method to detect and
Monitor malicious activity. In 2017 25th Euromicro International Conference on
Parallel, Distributed and Network-based Processing (PDP) (pp. 386-390). IEEE.