APT32, also known as OceanLotus Group, is a Vietnam-based threat group that has been active since at least 2014. This group is known for its sophisticated attacks on several private companies, journalists, foreign governments, and activists, primarily focusing on Southeast Asian countries including Vietnam, Philippines, Laos, and Cambodia. APT32 conducts targeted operations that align with Vietnamese state goals, using a unique suite of fully-featured malware in combination with commercially accessible tools.

Tactics, Techniques, and Procedures (TTPs)

APT32 has been observed using a variety of TTPs, including:

  • Spear Phishing for Credential Theft (T1566.001): APT32 has been known to send spear-phishing emails to its targets to steal their credentials. They often use lures relevant to Vietnamese interests, and the emails contain malicious attachments or links to malicious websites. MITRE ATT&CK Reference
  • Exploitation for Client Execution (T1203): The group has been known to exploit software vulnerabilities to execute their code on a victim’s system. They have been observed exploiting a Microsoft Office vulnerability (CVE-2017-11882) to execute arbitrary code. MITRE ATT&CK Reference
  • Use of Web Shells (T1505): APT32 has been observed using web shells to maintain access to a victim’s network. MITRE ATT&CK Reference
  • Data Encrypted for Impact (T1486): APT32 has been known to encrypt data on a victim’s system, likely as a form of impact. MITRE ATT&CK Reference

Known Vulnerabilities Exploited

APT32 has been known to exploit the following vulnerabilities:

  • CVE-2017-11882: This is a vulnerability in Microsoft Office that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. Vendor Information | NVD Information

Indicators of Compromise (IOCs)

The following IOCs have been associated with APT32:

  • Filename: PROPSYS[.]dll
  • Filename: D99036C9-71BC-4D23-A1BF-43EF44C1F28A[.]cab
  • Filename: WinSCard[.]dll
  • MD5: 63623bcf68ef6a52846869bbc1206beffb9af8b0764458bf266c25a0d691272c1ffdacea353f9350036f928a8e03d0fb70f6e312bce2be0c9554f45bada84f92
  • SHA-256: 2e8c395df7a08be30ef0569c1d809b8dc8e62bd6f0700019d1289f6b2ef5e6b8f297959b0a6f02e441387bd00e47a3cc0f4f80d0e44bbade463abc5ff804bdddf0ab3520db1f16e5d46c0a0a5462c30779cf9949b4c95c4252987b52c4540fc7440cc0e14dd3ba3924a69bbb4c3a1724e5685f57b852abe00634cd7c93594b3c
  • SHA-1: 21e912c8d4d7fd60176590b9f727f63bd2eb224c0960abd13bbb204406d8ce48a68baa99621f401fb8b2ee0eaecaf37a40ff09a57d07e9e7dc467f6d3c9c17a68143e9890b120bdb6f4bfa8684195f9


APT32 is a sophisticated threat actor that poses a significant threat to organizations and individuals, particularly those in Southeast Asia. The group’s use of a wide range of TTPs, including spear-phishing, exploitation of software vulnerabilities, and use of web shells, makes it a formidable adversary. Organizations should take steps to protect themselves from APT32, including educating employees about the dangers of spear-phishing, keeping software up-to-date to protect against known vulnerabilities, and monitoring their networks for signs of compromise.

Further Reading

For more information on APT32, you can refer to the following resources: