Threat Research

Persistent Advanced Threats Aiming at Vietnamese Human Rights Advocates | Huntress

Securonix

Huntress uncovereda long-running intrusion on a Vietnamese human rights defender’s machine, with overlaps to APT32/OceanLotus techniques and tactics. The incident highlights how sophisticated threat actors pursue persistence and information gathering against non-profits and small organizations. #OceanLotus #Huntress

Keypoints

  • Target: Vietnamese human rights defender’s machine.
  • Duration: Intrusion suspected to have lasted at least four years.
  • Threat Actor: APT32/OceanLotus.
  • Persistence Mechanisms: Multiple scheduled tasks and COM object hijacking.
  • Malware Analysis: Involves DLL side-loading and steganography techniques.
  • Indicators of Compromise: Various malicious files and IP addresses linked to the intrusion.
  • Threat Hunting Methodology: Huntress used process behavior insights and threat-hunting rules to identify anomalies.

MITRE Techniques

  • [T1033] System Owner/User Discovery – “whoami /priv”
  • [T1053.005] Scheduled Task – “schtasks /create /sc minute /mo 300 /tn “Handler{60396-307392-03497-03790-3702046}””
  • [T1059.003] Windows Command Shell – “cmd.exe /c C:UsersPublicDownloads1.bat”
  • [T1047] Windows Management Instrumentation – “wmic /node: /user: /password: process call create “cmd.exe /c start c:UsersAppDataRoamingMicrosoftSPMigrationBincalibre.exe””
  • [T1087.002] Account Discovery: Domain Account – “net group “Domain Admins” /domain”
  • [T1018] Remote System Discovery – “nltest /dclist:.local”
  • [T1529] System Shutdown/Reboot – “cmd /c shutdown /r /m /t 0 /f”
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – “cmd /c for /f “tokens=*” %G in (‘dir /b “%localappdata%GoogleChromeUser DataProfile *”‘) do copy “%localappdata%GoogleChromeUser Data%GNetworkCookies.bak” “%localappdata%GoogleChromeUser Data%GCookies” /y”
  • [T1546.015] Event Triggered Execution: Component Object Model Hijacking – “Event Triggered Execution: Component Object Model Hijacking” and registry COM handler entries
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – “DllHost.exe would run as the surrogate process … {1F7CFAF8-B558-4EBD-9526-203135A79B1D}”
  • [T1036.004] Masquerading: Masquerade Task or Service – tasks masquerading as legitimate Adobe/Microsoft processes
  • [T1036.005] Masquerading: Match Legitimate Name or Location – scheduled tasks named to resemble legitimate tasks like “UpdateLibrary”
  • [T1027.003] Obfuscated Files or Information: Steganography – steganography using PNG files to hide code (logo.png)
  • [T1027.007] Obfuscated Files or Information: Encrypted/Encoded File – encrypted iisexpressshim.sdb payload
  • [T1027.001] Obfuscated/Compressed Files: Garbage op-codes and control-flow obfuscation – junk op-codes and anti-analysis tricks
  • [T1029] Shared Modules/Dynamic API Resolution – iisutil2.dll loaded to run hidden code
  • [T1060] Native API – (various API-resolving and injection techniques observed in malware logic)
  • [T1055] Process Injection – gpupdate.exe injection and other process injections observed in Calibre flow

Indicators of Compromise

  • [SHA256] msadobe.jar – 300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a891
  • [SHA256] 1lpiozkc.node – b31bfa8782cb691178081d6685d8429a2a2787b1130c6620d3486b4c3e02d441
  • [SHA256] ms-adobe.bin – 8e2e9e7b93f4ed67377f7b9df9523c695f1d7e768c3301db6c653948766ff4c3
  • [SHA256] 1.bat – 1bd17369848c297fb30e424e613c10ccae44aa0556b9c88f6bf51d84d2cbf327
  • [SHA256] 1.txt – 6cf19d0582c6c31b9e198cd0a3d714b397484a3b16518981d935af9fd6cdb2eb
  • [SHA256] logo.png – f8773628cdeb821bd7a1c7235bb855e9b41aa808fed1510418a7461f7b82fd6c
  • [SHA256] goopdate.dll – c03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf9595
  • [SHA256] DropboxUpdate.bin – c7e2dbc3df04554daa19ef125bc07a6fa52b5ea0ba010f187a082dc9fc2e97ed
  • [SHA256] iisexpressshim.sdb – 09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195856
  • [SHA256] cachuri.dll – aa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4f4
  • [IP] 51.81.29.44 – kpi.adcconnect.me (ASN: OVH SAS)
  • [IP] 5.230.35.192 – dupbleanalytics.net (ASN: GHOSTnet GmbH)
  • [IP] 185.198.57.184 – fbcn.enantor.com (ASN: Host Sailor Ltd)
  • [IP] 185.43.220.188 – (ASN: WIBO Baltic UAB)
  • [Domain] kpi.msccloudapp.com – associated with C2 infrastructure
  • [Domain] dupbleanalytics.net – associated with C2 infrastructure

Read more: https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint