# APT32 **attack.mitre.org/groups/G0050/** [APT32 is a suspected Vietnam-based threat group that has been active since at least 2014.](https://attack.mitre.org/groups/G0050) The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web [compromises to compromise victims.[1][2][3]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) ## ID: G0050 ⓘ ## Associated Groups: SeaLotus, OceanLotus, APT-C-00 Contributors: Romain Dumont, ESET Version: 2.5 Created: 14 December 2017 Last Modified: 14 October 2021 [Version Permalink](https://attack.mitre.org/versions/v11/groups/G0050/) [Live Version](https://attack.mitre.org/versions/v11/groups/G0050/) **Domain** **ID** **Name** **Use** Enterprise [T1087](https://attack.mitre.org/techniques/T1087) [.001](https://attack.mitre.org/techniques/T1087/001) [Account Discovery:](https://attack.mitre.org/techniques/T1087) [Local Account](https://attack.mitre.org/techniques/T1087/001) [APT32 enumerated](https://attack.mitre.org/groups/G0050) administrative users using the commands `net` ``` localgroup ``` `administrators` [.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) ----- **Domain** **ID** **Name** **Use** Enterprise [T1583](https://attack.mitre.org/techniques/T1583) [.001](https://attack.mitre.org/techniques/T1583/001) [Acquire Infrastructure:](https://attack.mitre.org/techniques/T1583) [Domains](https://attack.mitre.org/techniques/T1583/001) [.006](https://attack.mitre.org/techniques/T1583/006) [Acquire Infrastructure:](https://attack.mitre.org/techniques/T1583) [Web Services](https://attack.mitre.org/techniques/T1583/006) Enterprise [T1071](https://attack.mitre.org/techniques/T1071) [.001](https://attack.mitre.org/techniques/T1071/001) Application Layer Protocol: Web Protocols [.003](https://attack.mitre.org/techniques/T1071/003) Application Layer Protocol: [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) [APT32 has used](https://attack.mitre.org/groups/G0050) JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted [payloads over HTTP.[2][7]](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) [APT32 has used email for](https://attack.mitre.org/groups/G0050) [C2[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [via an Office macro.[4]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) [APT32 has set up and](https://attack.mitre.org/groups/G0050) operated websites to gather information and [deliver malware.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) [APT32 has set up](https://attack.mitre.org/groups/G0050) Dropbox, Amazon S3, and Google Drive to host [malicious downloads.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) Enterprise [T1560](https://attack.mitre.org/techniques/T1560) Archive Collected Data [APT32's backdoor has](https://attack.mitre.org/groups/G0050) used LZMA compression and RC4 encryption before [exfiltration.[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) Enterprise [T1547](https://attack.mitre.org/techniques/T1547) [.001](https://attack.mitre.org/techniques/T1547/001) Boot or Logon Autostart Execution: Registry [Run Keys / Startup](https://attack.mitre.org/techniques/T1547/001) Folder [APT32 established](https://attack.mitre.org/groups/G0050) persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their [backdoor directly.[4][7][5]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) Enterprise [T1059](https://attack.mitre.org/techniques/T1059) Command and [Scripting](https://attack.mitre.org/techniques/T1059) Interpreter [APT32 has used COM](https://attack.mitre.org/groups/G0050) scriptlets to download [Co[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) balt Strike beacons. ----- **Domain** **ID** **Name** **Use** [.001](https://attack.mitre.org/techniques/T1059/001) [PowerShell](https://attack.mitre.org/techniques/T1059/001) [APT32 has used](https://attack.mitre.org/groups/G0050) PowerShell-based tools, PowerShell one-liners, and shellcode loaders for [execution.[1][4][7]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [.003](https://attack.mitre.org/techniques/T1059/003) Windows Command Shell [APT32 has used cmd.exe](https://attack.mitre.org/groups/G0050) [for execution.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [.005](https://attack.mitre.org/techniques/T1059/005) [Visual Basic](https://attack.mitre.org/techniques/T1059/005) [APT32 has used macros,](https://attack.mitre.org/groups/G0050) COM scriptlets, and VBS [scripts.[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) [.007](https://attack.mitre.org/techniques/T1059/007) [JavaScript](https://attack.mitre.org/techniques/T1059/007) [APT32 has used](https://attack.mitre.org/groups/G0050) JavaScript for drive-by downloads and C2 [communications.[7][8]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) Enterprise [T1543](https://attack.mitre.org/techniques/T1543) [.003](https://attack.mitre.org/techniques/T1543/003) Create or Modify System Process: [Windows Service](https://attack.mitre.org/techniques/T1543/003) Enterprise [T1189](https://attack.mitre.org/techniques/T1189) Drive-by Compromise [APT32 has infected](https://attack.mitre.org/groups/G0050) victims by tricking them into visiting compromised watering [hole websites.[3][8]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) [APT32 modified Windows](https://attack.mitre.org/groups/G0050) Services to ensure PowerShell scripts were loaded on the system. [APT32 also creates a](https://attack.mitre.org/groups/G0050) Windows service to [es[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) [tablish persistence.[3][7]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) [APT32 has set up](https://attack.mitre.org/groups/G0050) Facebook pages in tandem with fake [websites.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) Enterprise [T1585](https://attack.mitre.org/techniques/T1585) [.001](https://attack.mitre.org/techniques/T1585/001) [Establish Accounts:](https://attack.mitre.org/techniques/T1585) [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001) Enterprise [T1048](https://attack.mitre.org/techniques/T1048) [.003](https://attack.mitre.org/techniques/T1048/003) Exfiltration Over Alternative Protocol: Exfiltration Over [Unencrypted Non-C2](https://attack.mitre.org/techniques/T1048/003) Protocol [APT32's backdoor can](https://attack.mitre.org/groups/G0050) exfiltrate data by encoding it in the subdomain field of DNS [packets.[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) ----- **Domain** **ID** **Name** **Use** Enterprise [T1041](https://attack.mitre.org/techniques/T1041) Exfiltration [Over C2](https://attack.mitre.org/techniques/T1041) Channel Enterprise [T1203](https://attack.mitre.org/techniques/T1203) Exploitation for Client Execution Enterprise [T1068](https://attack.mitre.org/techniques/T1068) Exploitation for [Privilege](https://attack.mitre.org/techniques/T1068) Escalation Enterprise [T1083](https://attack.mitre.org/techniques/T1083) File and [Directory](https://attack.mitre.org/techniques/T1083) Discovery [APT32's backdoor has](https://attack.mitre.org/groups/G0050) exfiltrated data using the already opened channel with its C&C [server.[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) [APT32 has used RTF](https://attack.mitre.org/groups/G0050) document that includes an exploit to execute malicious code. (CVE[2017-11882)[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) [APT32 has used CVE-](https://attack.mitre.org/groups/G0050) 2016-7255 to escalate [privileges.[1]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32's backdoor](https://attack.mitre.org/groups/G0050) possesses the capability to list files and directories on a machine. [[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) Enterprise [T1222](https://attack.mitre.org/techniques/T1222) [.002](https://attack.mitre.org/techniques/T1222/002) File and Directory [Permissions](https://attack.mitre.org/techniques/T1222) Modification: Linux and Mac File and Directory Permissions Modification [APT32's macOS](https://attack.mitre.org/groups/G0050) backdoor changes the permission of the file it [wa[9]](https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/) nts to execute to 755. Enterprise [T1589](https://attack.mitre.org/techniques/T1589) Gather Victim [Identity](https://attack.mitre.org/techniques/T1589) Information [APT32 has conducted](https://attack.mitre.org/groups/G0050) targeted surveillance against activists and [bloggers.[6]](https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf) [.002](https://attack.mitre.org/techniques/T1589/002) [Email Addresses](https://attack.mitre.org/techniques/T1589/002) [APT32 has collected e-](https://attack.mitre.org/groups/G0050) mail addresses for activists and bloggers in order to target them with [spyware.[6]](https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf) ----- **Domain** **ID** **Name** **Use** Enterprise [T1564](https://attack.mitre.org/techniques/T1564) [.001](https://attack.mitre.org/techniques/T1564/001) [Hide Artifacts:](https://attack.mitre.org/techniques/T1564) Hidden Files and Directories [.003](https://attack.mitre.org/techniques/T1564/003) [Hide Artifacts:](https://attack.mitre.org/techniques/T1564) Hidden Window [.004](https://attack.mitre.org/techniques/T1564/004) [Hide Artifacts:](https://attack.mitre.org/techniques/T1564) NTFS File Attributes Enterprise [T1574](https://attack.mitre.org/techniques/T1574) [.002](https://attack.mitre.org/techniques/T1574/002) [Hijack Execution Flow:](https://attack.mitre.org/techniques/T1574) [DLL Side-Loading](https://attack.mitre.org/techniques/T1574/002) Enterprise [T1070](https://attack.mitre.org/techniques/T1070) [.001](https://attack.mitre.org/techniques/T1070/001) Indicator Removal on Host: Clear Windows Event Logs [.004](https://attack.mitre.org/techniques/T1070/004) Indicator Removal on Host: [File Deletion](https://attack.mitre.org/techniques/T1070/004) [APT32 has cleared select](https://attack.mitre.org/groups/G0050) [event log entries.[1]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32's macOS](https://attack.mitre.org/groups/G0050) backdoor can receive a ["delete" command.[9]](https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/) [APT32's macOS](https://attack.mitre.org/groups/G0050) backdoor hides the clientID file via a chflags [function.[9]](https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/) [APT32 has used the](https://attack.mitre.org/groups/G0050) WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/001) [windows. [1] [7]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32 used NTFS](https://attack.mitre.org/groups/G0050) alternate data streams to [hide their payloads.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 ran legitimately-](https://attack.mitre.org/groups/G0050) signed executables from Symantec and McAfee which load a malicious DLL. The group also sideloads its backdoor by dropping a library and a legitimate, signed executable [(AcroTranscoder).[4][7][5]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) ----- **Domain** **ID** **Name** **Use** [.006](https://attack.mitre.org/techniques/T1070/006) Indicator Removal on Host: [Timestomp](https://attack.mitre.org/techniques/T1070/006) Enterprise [T1105](https://attack.mitre.org/techniques/T1105) Ingress Tool Transfer [APT32 has added](https://attack.mitre.org/groups/G0050) JavaScript to victim websites to download additional frameworks that profile and compromise website [visitors.[2]](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) [APT32 has used](https://attack.mitre.org/groups/G0050) scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, [APT32 has used a](https://attack.mitre.org/groups/G0050) random value to modify the timestamp of the file [storing the clientID.[1][5][9]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32 has abused the](https://attack.mitre.org/groups/G0050) PasswordChangeNotify to monitor for and capture account password [changes.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) Enterprise [T1056](https://attack.mitre.org/techniques/T1056) [.001](https://attack.mitre.org/techniques/T1056/001) [Input Capture:](https://attack.mitre.org/techniques/T1056) [Keylogging](https://attack.mitre.org/techniques/T1056/001) Enterprise [T1570](https://attack.mitre.org/techniques/T1570) Lateral Tool Transfer [APT32 has deployed](https://attack.mitre.org/groups/G0050) tools after moving laterally using administrative [accounts.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) Enterprise [T1036](https://attack.mitre.org/techniques/T1036) [Masquerading](https://attack.mitre.org/techniques/T1036) [APT32 has disguised a](https://attack.mitre.org/groups/G0050) Cobalt Strike beacon [as a Flash Installer.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [.003](https://attack.mitre.org/techniques/T1036/003) Rename System Utilities [APT32 has moved and](https://attack.mitre.org/groups/G0050) renamed pubprn.vbs to a [.txt[10] file to avoid detection.](https://twitter.com/ItsReallyNick/status/945681177108762624) ----- **Domain** **ID** **Name** **Use** [.004](https://attack.mitre.org/techniques/T1036/004) Masquerade Task or Service [.005](https://attack.mitre.org/techniques/T1036/005) Match Legitimate Name or Location Enterprise [T1112](https://attack.mitre.org/techniques/T1112) [Modify Registry](https://attack.mitre.org/techniques/T1112) [APT32's backdoor has](https://attack.mitre.org/groups/G0050) modified the Windows Registry to store the backdoor's [configuration. [5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) [APT32 has used hidden](https://attack.mitre.org/groups/G0050) or non-printing characters to help masquerade service names, such as appending a Unicode nobreak space character to a legitimate service name. [APT32 has also](https://attack.mitre.org/groups/G0050) impersonated the legitimate Flash installer file name ["install_flashplayer.exe".[1]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32 has renamed a](https://attack.mitre.org/groups/G0050) NetCat binary to kb10233.exe to masquerade as a Windows update. [APT32 has also renamed](https://attack.mitre.org/groups/G0050) a Cobalt Strike beacon payload to [insta[7][8]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) ll_flashplayers.exe. Enterprise [T1046](https://attack.mitre.org/techniques/T1046) Network [Service](https://attack.mitre.org/techniques/T1046) Discovery Enterprise [T1135](https://attack.mitre.org/techniques/T1135) Network Share Discovery [APT32 performed](https://attack.mitre.org/groups/G0050) network scanning on the network to search for open ports, services, OS fingerprinting, and other [vulnerabilities.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 used the](https://attack.mitre.org/groups/G0050) `net` ``` view command to ``` show all shares available, including the administrative shares such as `C$ and` ----- **Domain** **ID** **Name** **Use** Enterprise [T1571](https://attack.mitre.org/techniques/T1571) Non-Standard Port Enterprise [T1027](https://attack.mitre.org/techniques/T1027) Obfuscated [Files or](https://attack.mitre.org/techniques/T1027) Information An [APT32 backdoor](https://attack.mitre.org/groups/G0050) can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the [ba[5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) ckdoor configuration. [APT32 uses the](https://attack.mitre.org/groups/G0050) Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. [APT32 has also](https://attack.mitre.org/groups/G0050) encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat [(DKMC). APT32 also](https://attack.mitre.org/groups/G0050) encrypts the library used for network exfiltration with AES256 in CBC mode in [their macOS b[1][11][3][4][7][5][9]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) ackdoor. [.001](https://attack.mitre.org/techniques/T1027/001) [Binary Padding](https://attack.mitre.org/techniques/T1027/001) [APT32 includes garbage](https://attack.mitre.org/groups/G0050) code to mislead antimalware software and [researchers.[3][5]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) Enterprise [T1588](https://attack.mitre.org/techniques/T1588) [.002](https://attack.mitre.org/techniques/T1588/002) [Obtain Capabilities:](https://attack.mitre.org/techniques/T1588) [Tool](https://attack.mitre.org/techniques/T1588/002) [APT32 has obtained and](https://attack.mitre.org/groups/G0050) used tools such as [Mimikatz and](https://attack.mitre.org/software/S0002) Cobalt Strike, and a variety of other open-source tools [from GitHub.[1][4]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) Enterprise [T1137](https://attack.mitre.org/techniques/T1137) Office [Application](https://attack.mitre.org/techniques/T1137) Startup [APT32 have replaced](https://attack.mitre.org/groups/G0050) Microsoft Outlook's VbaProject.OTM file to install a backdoor [mac[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) ro for persistence. ----- **Domain** **ID** **Name** **Use** Enterprise [T1003](https://attack.mitre.org/techniques/T1003) OS Credential Dumping [APT32 used](https://attack.mitre.org/groups/G0050) GetPassword_x64 to [harvest credentials.[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) [.001](https://attack.mitre.org/techniques/T1003/001) [LSASS Memory](https://attack.mitre.org/techniques/T1003/001) [APT32 used Mimikatz](https://attack.mitre.org/groups/G0050) and customized versions of Windows Credential Dumper to harvest [credentials.[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) Enterprise [T1566](https://attack.mitre.org/techniques/T1566) [.001](https://attack.mitre.org/techniques/T1566/001) [Phishing:](https://attack.mitre.org/techniques/T1566) Spearphishing Attachment [.002](https://attack.mitre.org/techniques/T1566/002) [Phishing:](https://attack.mitre.org/techniques/T1566) [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) Enterprise [T1598](https://attack.mitre.org/techniques/T1598) [.003](https://attack.mitre.org/techniques/T1598/003) Phishing for Information: [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003) [APT32 has sent](https://attack.mitre.org/groups/G0050) spearphishing emails with a malicious executable disguised as a document [or[6] spreadsheet.[3][4][7][5][12]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) [APT32 has sent](https://attack.mitre.org/groups/G0050) spearphishing emails [containing [3][4][12][8][6]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) malicious links. Enterprise [T1055](https://attack.mitre.org/techniques/T1055) Process Injection [APT32 malware has](https://attack.mitre.org/groups/G0050) injected a Cobalt Strike beacon into [Rundll32.exe.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 has used](https://attack.mitre.org/groups/G0050) malicious links to direct users to web pages designed to harvest [credentials.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) [APT32 used](https://attack.mitre.org/groups/G0050) [Net to use](https://attack.mitre.org/software/S0039) Windows' hidden network shares to copy their tools to remote machines for [execution.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) Enterprise [T1012](https://attack.mitre.org/techniques/T1012) [Query Registry](https://attack.mitre.org/techniques/T1012) [APT32's backdoor can](https://attack.mitre.org/groups/G0050) query the Windows Registry to gather [system information. [5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) Enterprise [T1021](https://attack.mitre.org/techniques/T1021) [.002](https://attack.mitre.org/techniques/T1021/002) [Remote Services:](https://attack.mitre.org/techniques/T1021) SMB/Windows Admin Shares ----- **Domain** **ID** **Name** **Use** Enterprise [T1018](https://attack.mitre.org/techniques/T1018) Remote [System](https://attack.mitre.org/techniques/T1018) Discovery [APT32 has enumerated](https://attack.mitre.org/groups/G0050) DC servers using the command `net group` ``` "Domain Controllers" /domain . The group ``` has also used the ``` ping command.[7] ``` Enterprise [T1053](https://attack.mitre.org/techniques/T1053) [.005](https://attack.mitre.org/techniques/T1053/005) [Scheduled Task/Job:](https://attack.mitre.org/techniques/T1053) [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) Enterprise [T1505](https://attack.mitre.org/techniques/T1505) [.003](https://attack.mitre.org/techniques/T1505/003) Server Software Component: [Web Shell](https://attack.mitre.org/techniques/T1505/003) [APT32 has used](https://attack.mitre.org/groups/G0050) scheduled tasks to persist [on victim systems.[1][4][7][5]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [APT32 has used Web](https://attack.mitre.org/groups/G0050) shells to maintain access [to victim websites.[2]](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) Enterprise [T1072](https://attack.mitre.org/techniques/T1072) Software [Deployment](https://attack.mitre.org/techniques/T1072) Tools [APT32 compromised](https://attack.mitre.org/groups/G0050) McAfee ePO to move laterally by distributing malware as a software [deployment task.[1]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) Enterprise [T1608](https://attack.mitre.org/techniques/T1608) [.001](https://attack.mitre.org/techniques/T1608/001) [Stage Capabilities:](https://attack.mitre.org/techniques/T1608) [Upload Malware](https://attack.mitre.org/techniques/T1608/001) [.004](https://attack.mitre.org/techniques/T1608/004) [Stage Capabilities:](https://attack.mitre.org/techniques/T1608) [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) [APT32 has hosted](https://attack.mitre.org/groups/G0050) malicious payloads in Dropbox, Amazon S3, and Google Drive for use [during targeting.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) [APT32 has stood up](https://attack.mitre.org/groups/G0050) websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software [update.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) ----- **Domain** **ID** **Name** **Use** Enterprise [T1218](https://attack.mitre.org/techniques/T1218) [.005](https://attack.mitre.org/techniques/T1218/005) System Binary Proxy Execution: [Mshta](https://attack.mitre.org/techniques/T1218/005) [.010](https://attack.mitre.org/techniques/T1218/010) System Binary Proxy Execution: [Regsvr32](https://attack.mitre.org/techniques/T1218/010) [.011](https://attack.mitre.org/techniques/T1218/011) System Binary Proxy Execution: [Rundll32](https://attack.mitre.org/techniques/T1218/011) [APT32 malware has used](https://attack.mitre.org/groups/G0050) rundll32.exe to execute an initial infection [process.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 has used](https://attack.mitre.org/groups/G0050) mshta.exe for code [execution.[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) [APT32 created a](https://attack.mitre.org/groups/G0050) [Scheduled Task/Job that](https://attack.mitre.org/techniques/T1053) used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run [their backdoor.[5][1][7]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) Enterprise [T1082](https://attack.mitre.org/techniques/T1082) System [Information](https://attack.mitre.org/techniques/T1082) Discovery Enterprise [T1016](https://attack.mitre.org/techniques/T1016) System Network Configuration Discovery [APT32 has collected](https://attack.mitre.org/groups/G0050) the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. [APT32](https://attack.mitre.org/groups/G0050) executed shellcode to identify the name of the [infected host.[3][5][9][12]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) [APT32 used the](https://attack.mitre.org/groups/G0050) ``` ipconfig /all ``` command to gather the IP address from the [system.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) ----- **Domain** **ID** **Name** **Use** Enterprise [T1049](https://attack.mitre.org/techniques/T1049) System Network Connections Discovery Enterprise [T1033](https://attack.mitre.org/techniques/T1033) System [Owner/User](https://attack.mitre.org/techniques/T1033) Discovery [APT32 used the](https://attack.mitre.org/groups/G0050) ``` netstat -anpo tcp ``` command to display TCP connections on [the victim's machine.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 collected the](https://attack.mitre.org/groups/G0050) victim's username and executed the `whoami` command on the victim's machine. [APT32 executed](https://attack.mitre.org/groups/G0050) shellcode to collect the username on the [vic[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [tim's machine. [12][3]](https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html) Enterprise [T1216](https://attack.mitre.org/techniques/T1216) [.001](https://attack.mitre.org/techniques/T1216/001) System Script Proxy Execution: [PubPrn](https://attack.mitre.org/techniques/T1216/001) Enterprise [T1569](https://attack.mitre.org/techniques/T1569) [.002](https://attack.mitre.org/techniques/T1569/002) [System Services:](https://attack.mitre.org/techniques/T1569) [Service Execution](https://attack.mitre.org/techniques/T1569/002) Enterprise [T1552](https://attack.mitre.org/techniques/T1552) [.002](https://attack.mitre.org/techniques/T1552/002) [Unsecured Credentials:](https://attack.mitre.org/techniques/T1552) [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002) Enterprise [T1550](https://attack.mitre.org/techniques/T1550) [.002](https://attack.mitre.org/techniques/T1550/002) Use Alternate Authentication Material: [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) [.003](https://attack.mitre.org/techniques/T1550/003) Use Alternate Authentication Material: [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) [APT32 has used](https://attack.mitre.org/groups/G0050) PubPrn.vbs within execution scripts to execute malware, possibly bypassing [defenses.[13]](https://twitter.com/ItsReallyNick/status/944321013084573697) [APT32's backdoor has](https://attack.mitre.org/groups/G0050) used Windows services as a way to execute its [malicious payload. [5]](https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/) [APT32 successfully](https://attack.mitre.org/groups/G0050) gained remote access by [using pass the ticket.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 used Outlook](https://attack.mitre.org/groups/G0050) Credential Dumper to harvest credentials stored [in Windows registry.[4][7]](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) [APT32 has used pass the](https://attack.mitre.org/groups/G0050) hash for lateral [movement.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) ----- **Domain** **ID** **Name** **Use** Enterprise [T1204](https://attack.mitre.org/techniques/T1204) [.001](https://attack.mitre.org/techniques/T1204/001) [User Execution:](https://attack.mitre.org/techniques/T1204) [Malicious Link](https://attack.mitre.org/techniques/T1204/001) [.002](https://attack.mitre.org/techniques/T1204/002) [User Execution:](https://attack.mitre.org/techniques/T1204) [Malicious File](https://attack.mitre.org/techniques/T1204/002) Enterprise [T1078](https://attack.mitre.org/techniques/T1078) [.003](https://attack.mitre.org/techniques/T1078/003) [Valid Accounts:](https://attack.mitre.org/techniques/T1078) Local Accounts Enterprise [T1102](https://attack.mitre.org/techniques/T1102) [Web Service](https://attack.mitre.org/techniques/T1102) [APT32 has used](https://attack.mitre.org/groups/G0050) Dropbox, Amazon S3, and Google Drive to host malicious [downloads.[8]](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) [APT32 has lured targets](https://attack.mitre.org/groups/G0050) to download a Cobalt Strike beacon by including a malicious link within spearphishing [emails.[7][8][6]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) [APT32 has attempted to](https://attack.mitre.org/groups/G0050) lure users to execute a malicious dropper delivered via a spearphishing [attachment.[3][4][5][12][6]](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/) [APT32 has used](https://attack.mitre.org/groups/G0050) legitimate local admin [account credentials.[1]](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) Enterprise [T1047](https://attack.mitre.org/techniques/T1047) Windows [Management](https://attack.mitre.org/techniques/T1047) Instrumentation [APT32 used WMI to](https://attack.mitre.org/groups/G0050) deploy their tools on remote machines and to gather information about the Outlook [process.[7]](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf) -----