apt32-oceanlotus

APT32 attacks against human rights with spyware

Introduction

Vietnam-backed hacker Group APT32 launched a spyware attack on Vietnamese Human Rights Defenders (HRD) from February 2018 to November 2020.

The spyware used by APT32 hackers allows them to read and write documents on the infected system, launch malicious tools and programs, and monitor the activities of victims.

Likhita Banerji, a researcher at Amnesty International, said: “The recent attacks by OceanLotus have highlighted the activists in Vietnam defending human rights at home and abroad.” “This illegal surveillance violates and stifles freedom of speech.

“The Vietnamese government must conduct an independent investigation. Any refusal to do so will only increase people’s suspicion that the government is complicit in the “OceanLotus” attack.”

apt32 timeline of attacks

Deliver spyware via phishing email

apt32 email

APT32’s “cooperative spyware campaign” targeted pro-democracy activist Bui Thanh Hieu, Vietnam’s VOICE NPO and an undisclosed Vietnamese blogger.

The downloaded and deployed the Cobalt Strike to gain persistent remote access to the infected system.

For victims using Macs, APT32 operators used the macOS discovered by TrendMicro, a malware designed to enable attackers to download, upload and execute arbitrary files and commands.

apt32 spyware

IOCs

2014

af170750a8228c9e5f21bfc35fc67721
616d32151c907fdd4e718bde2163cc40
1a60715c51da0caa8a5ebff6fdc9d472
6e667d6c9e527ada1a3284aa333d954d
4e2d1e15666c32311c9b4014ce5ac6d86dcf5255
58356d004b020e223e404028cceb60d5d8a103e7
7993f3b3ae93273049f0791d6dad0c57ec0e346f
1089a4db6a15e8ed605cd5be0ffde44fcd81f35c
2fa7ad4736e2bb1d50cbaec625c776cdb6fce0b8eb66035df32764d5a2a18013
351813270729b78fb2fe33be9c57fcd6f3828576171c7f404ed53af77cd91206
3B147110AC79543CC31527651D66787152102A66C33710233BD64912707D4E60
82f0db740c1a08c9d63c3bb13ddaf72c5183e9a141d3fbd1ffb9446ce5467113
9c07d491e4ddcba98c79556c4cf31d9205a5f55445c1c2da563e80940d949356
D1DF15E4D714BFDB764ECF92AE709D14BCA3E0E6C759CF7C675BE26D0296A63C
dd100552f256426ce116c0b1155bcf45902d260d12ae080782cdc7b8f824f6e1

2015

146.0.43.107
179.43.146.203
193.169.244.73
191.101.22.4
176.31.22.77


download.mail-attach.net
mokkha.goongnam.com
fpdownload.shockwave.flashads.org
cn.flashads.org
active.soariz.com
google-service.com
sin04s01.listpaz.com
cv.flashads.org
24.datatimes.org
userapp.org
push.relasign.org
ese.hackermind.info
seri.volveri.net
hn.hackermind.info
cp.flashads.org
cdn.libjs.co
autoupdate.adobe.com
dc.jaomao69.info
googl-mail.com
cdn.jaomao69.info
ebenezermelbourne.com
economy.bloghop.org
billy.hackermind.info
emp.gapte.name
kiifd.pozon7.net
high.expbas.net
shop.ownpro.net
img.fanspeed.net
pad.werzo.net
kroger7.net
zone.mizove.com
hysalt.net
high.vphelp.net
cnf.flashads.org
ming.chujong.com


0529b1d393f405bc2b2b33709dd57153
05a08c3d6cf0855d16372c197424d824
06306e6a66c41c42e8a480d6c014a5b9
071528cc2401b8abdc878d609a8e60d5
0bf5190137399d943f3f92e24e9d970f
0c3355c2c7f75dc4793525a3d7aa1bbb
1039415a93bf1fbe81a72b50dd47179c
15e2bbafd4ecface1d78b06ab9b1331d
19b5c6f2ed567ea6a89511f0aea1f3aa
1d1d977311678770df3dad53a78072f5
2508b86efb31fa63ba48ec3cc1508e18
274da4692bb28a302f2a7dfbdecc92bb
29c751356a631eac4a553acb7e2c414e
2a27610be3cf2631d438af505f366fa3
2b4d52c859cf6668dd75a5cfea99e7a9
2cccf3bdaccc6295062a62812af1adeb
2e63e1f0f5d33408ee9c2fd1dd1c3fb7
3290625d0f238950f353272a787cb0e9
32b430240e6cc8ad4632c19c92bffe37
3743d1c0b71d231463a5666ca28e9f4b
38d4c60b8a4deccd1b507a5f0b7b40eb
39c3cb43aa0b30c1858f95f2895e4e8b
3b6ba05d5d0f236cf0867f1d7fe1a25e
40a9c6df09e5ae3bcc2f0ad8c86a1990
416cfb90303f7015f613d22edd14b9d2
41bced8c65c5822d43cadad7d1dc49fd
445ed2d8c51a78fcee75c77641dbb021
4734074d0bf21c62db0751251a3abeed
486bb089b22998ec2560afa59008eafa
4bc2263063cf119e6532db08b257dee8
4df81f3e8db3ea27caedfbc52961a3a2
4fc19b5d80cbbbeb5374ea14eac27d45
5011856ebf6759962b6f580e9f1ad322
5396cace6655f7dd4033a4a559e693c0
53e5718adf6f5feb2e3bb3396a229ba8
62820f4f4a6e91529ac9b76322decff5
676c81ab9ce7970a42fc8dd692c465c5
6b367b82e9bd27770a2a01320d778b26
6c149dd9e472f8e7f68d1f8771ab74d7
6de3c7a74dbf857290fd92a4339f7836
6f026548b4f5d695ebaba1f9baa39743
70ca42bb9c3b6e49663fc532833874c3
7e68371ba3a988ff88e0fb54e2507f0d
8173a28d6f4ac5aeb150321a6ebc9c0f
8d72bbc978243516d94ab3a250cfbe2a
8f5ab998f6830f452f4ecc916d4d0f88
9d68eb143708f7c05222afead62d2c7a
9fea62c042a8eda1d3f5ae54bad1e959
b778d0de33b66ffdaaf76ba01e7c5b7b
d39edc7922054a0f14a5b000a28e3329
d5e9efe375e94a2b8ae02281993c74c7
dfca5127134f7198d7cf4fccdafdc7e9
ed501e21e62359ffd6f4d8ca42e66e59
ee24c12698de35c9d3594264bc2c2829
f099636a101e65a1447ce88028acefd7
a888ecb8521aeed4807c85b1f652ce68a32651e8
dbc37930db9e8f001acf8f638c6940f0ddb857bc
86fdf7dd002f34230776a6423fe5ae6b6cc106a7
d0c2a65df5485b2d81675f1ffb2202a3df3905d1
0f6acd95295293904ee9b37fb70f6062088fa98c6f9042e3e594c113210afa2f
e6594d11244357537fa3ef5292cb52ccbd7c8f26a277f7003ade80964351878f
cd3c51648412de5ec6cfda758b983f5e8eeb8d22269b1f86c330066d02eb4cb7
d3cf53d74868625d4ee00e367162798f829acf532bad69cf1b7ce959de0e072a

2017

103.53.197.202
104.237.218.70
104.237.218.72
185.157.79.3
193.169.245.78
193.169.245.137
23.227.196.210
80.255.3.87

24.datatimes.org
blog.docksugs.org
blog.panggin.org
contay.deaftone.com
check.paidprefund.org
datatimes.org
docksugs.org
economy.bloghop.org
emp.gapte.name
facebook-cdn.net
gap-facebook.com
gl-appspot.org
help.checkonl.org
high.expbas.net
high.vphelp.net
icon.torrentart.com
images.chinabytes.info
imaps.qki6.com
img.fanspeed.net
job.supperpow.com
lighpress.info
menmin.strezf.com
mobile.pagmobiles.info
news.lighpress.info
notificeva.com
nsquery.net
pagmobiles.info
paidprefund.org
push.relasign.org
relasign.org
share.codehao.net
seri.volveri.net
ssl.zin0.com
static.jg7.org
syn.timeizu.net
teriava.com
timeizu.net
tonholding.com
tulationeva.com
untitled.po9z.com
update-flashs.com
vieweva.com
volveri.net
vphelp.net
yii.yiihao126.net
zone.apize.net

471a2e7341f2614b715dc89e803ffcac
4f761095ca51bfbbf4496a4964e41d4f
5180a8d9325a417f2d8066f9226a5154
5458a2e4d784abb1a1127263bd5006b5
6baafffa7bf960dec821b627f9653e44
aa1f85de3e4d33f31b4f78968b29f175
ce50e544430e7265a45fab5a1f31e529
e9abe54162ba4572c770ab043f576784
f1af6bb36cdf3cff768faee7919f0733
f6ee4b72d6d42d0c7be9172be2b817c1
fba089444c769700e47c6b44c362f96b
6cb8e8202286a6931288e72fcde4408ed0f677b4
afc7f28a592652cab31594502315f6c70352f1be
f0d061efa1120f15f04560761cd0d665e0c20036
5d7e933bb1c709c0d833489be710d6c9dcf6d0d3
c944d737dc028d9327dbb95d684ca97232c38620
a5bddb5b10d673cbfe9b16a062ac78c9aa75b61c
af9c949a6fbc2673721fa764801e9054a9d61eb5
6113faa240468b705796d33926825f54abb02263
a7ac90902a385e0ea7725828facc6e65383a664a
312350cd15d9adba591db063bd87bc5d7fbe24ad
5f56aafb658669a98a9f6800f84ce9845f2e036c
209c52bc39e8fa3df3d4d12a4d1913f3751582b34898adf966dd227cd5a0c99a
d0a725ee4602cd90493103648e6ec453b7987a016c19cff5c79cc42f4510e92f
fadb91606e09b86c39aad99b452525217563594dc9c610120860a38439adb243
c161134bf3330c82eb0278fe54b2975c26301bdfdc4fc35d5344f9becf5574c7
1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876
8c355092c7aaadb11748fd87ce528d3cdb483104e979d9b560af840eb8089f94
1210384a9d0ca2e089efab14f2e9f6d55a3824031c1e589b96f854fb96411288
1eca9dfd04fd5272a656d6e6d41c9ccc21a2700a979addf612a4de3b071253f5
453168b12bdc881bd6763fbc456620fd42efe6a718c6aecb2fa4982a44207999
84d9af7b24ce85c3e5d97236c8562fcd45d34d99b07412fbdaca697c5961723e
703af242be581aa4c4c73b08ae57caf7c5d90f09f0991a963e07d02fb4209f75