# APT32 Continues ASEAN Targeting ###  [Blog Post created by Kevin Stear](https://community.rsa.com/people/en2fBGHnC4m6d7LYssUW1tPEr9auDjtSWfYHyvRdBRA%3D) on Jan 30, 2018 ##  Like • 0  Comment • 0 During the last weeks of January (2018), nation state actors from APT32 (Lotus Blossom) conducted a targeted malspam campaign against the Association of Southeast Asian Nations (ASEAN) countries. This isn't terribly surprising considering the group's [watering hole activity against ASEAN websites](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fsecurelist.com%2Fapt-trends-report-q3-2017%2F83162%2F) as observed in the Fall of 2017. In another apparent prong of attack, the new campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object, the Elise backdoor. ----- The Elise backdoor is not new malware and has been successfully diagnosed in the past by Industry researchers (e.g. [Palo Alto Unit 42's 2015 report](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fapps%2Fpan%2Fpublic%2FdownloadResource%3FpagePath%3D%2Fcontent%2Fpan%2Fen_US%2Fresources%2Fresearch%2Funit42-operation-lotus-blossom) ) and more recently by [Volexity](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2017%2F11%2F06%2Foceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society%2F) and [Accenture](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.accenture.com%2Ft20180127T003755Z__w__%2Fus-en%2F_acnmedia%2FPDF-46%2FAccenture-Security-Dragonfish-Threat-Analysis.pdf%23zoom%3D50) . Each of these are valuable resources to understanding the Elise malcode, infection process, and known [capabilities of the backdoor. In addition, a current ANY.RUN playback of our observed Elise infection](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fapp.any.run%2Ftasks%2F05b68865-529e-44e4-882f-0c184b162f12) is also available. Upon opening of the MS Word document, our embedded file exploits [CVE­2017­11882](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.cvedetails.com%2Fcve%2Fcve-2017-11882) to drop a [malicious fake Norton Security Shell Extension module, 'NavShExt.dll](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.virustotal.com%2F%23%2Ffile%2F6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79%2Fdetection) ', which is then injected into iexplore.exe to install the backdoor, begin collection, and activate command and control. ----- [Moving through the infection process, NetWitness Endpoint detects the initial exploit (CVE­2017­1182](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.cvedetails.com%2Fcve%2Fcve-2017-11882) ) in action as the Microsoft Equation Editor, 'EQNEDT32.exe', scores high for potentially malicious activity. This same process was also flagged in our any.run playback. ----- While this is happening, the malware establishes persistence by creating an autorun in the registry and then also creates 'thumbcache_1CD60.db' at 'Users\admin\AppData\Local\Microsoft\Windows\Explorer\' to store harvested data. ----- As the infection process completes, we now observe Elise network activity (e.g., exfil of victim data and C2) through a conveniently hidden instance of Internet Explorer. ----- This traffic was also observed in NetWitness Packets, as the malware verifies the host IP address prior [to kicking off C2 out to 103.236.150[.]14](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fcommunity.riskiq.com%2Fsearch%2F103.236.150.14), which is likely compromised infrastructure. ----- protect this data via both B64 encoding and AES encryption. The actual C2 for Elise takes place over "cookie" code and (rarely) body content. ----- Other infections (from the identical payload) each generated their own decoy domains to populate the host header, but in every case actually used the same hard­coded IP address, [103.236.150[.]14](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fcommunity.riskiq.com%2Fsearch%2F103.236.150.14) . ----- The threat actors actually went to significant efforts to generate these seemingly random domains, likely in an attempt at obfuscating C2 traffic and avoiding domain­based detection/mitigation. ----- ----- Based on both previous activity and this current Lotus Blossom campaign, it is clear that we are witnessing the continued rise of cyber tradecraft and activity from nation­states in the Southeast Asian theater. Thanks to [Kent Backman,](https://community.rsa.com/people/Gl8LOTl4A2rCbPZkifuse3cHH75XbzVWfnhIYrQRH4A=) [Justin Lamarre, and](https://community.rsa.com/people/ebeaINpJCPQvueBuILnImsMW49IGrBKoVOB6f66tRCQ=) [Ahmed Sonbol for their assistance with this research.](https://community.rsa.com/people/B2QKZMrDo53ui48qarO9kYZN09ujo2snbEzRAeJQqZU=) The following samples were used for this analysis: [Malicious RTF Dropper](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.virustotal.com%2F%23%2Ffile%2Fd3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411%2Fdetection) (SHA256): d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411 [NavShExt.dll](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.virustotal.com%2F%23%2Ffile%2F6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79%2Fdetection) (SHA256): 6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79 [League of Legends banner art credit: Riot Games](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.riotgames.com%2Fen) **[Visibility: RSA NetWitness Suite](https://community.rsa.com/community/products/netwitness/blog)** - **355 Views** ----- [netwithess](https://community.rsa.com/community/products/netwitness/blog/tags#/?tags=netwithess) [apt32](https://community.rsa.com/community/products/netwitness/blog/tags#/?tags=apt32) [lotus blossom](https://community.rsa.com/community/products/netwitness/blog/tags#/?tags=lotus%20blossom) [vietnam](https://community.rsa.com/community/products/netwitness/blog/tags#/?tags=vietnam) **Categories:** [RSA NetWitness Endpoint](https://community.rsa.com/community/products/netwitness/content?filterID=contentstatus[published]~category[rsa-netwitness-endpoint]) ## 0 Comments ### Recommended Content [Manage Authentication Sources](https://community.rsa.com/docs/DOC-54089) [000032873 ‑ Tips for troubleshooting Advanced Workflow in RSA Archer 6.0](https://community.rsa.com/docs/DOC-47309) 000034499 ‑ RSA Archer Advanced Workflow Service is not working and displays error: Service not available. [Configure a Custom Portal Page for Web Applications](https://community.rsa.com/docs/DOC-54151) [Alerting Using ESA Guide](https://community.rsa.com/docs/DOC-42083) **Products & Solutions** [RSA® Access Manager](https://community.rsa.com/community/products/access-manager) RSA® Adaptive Authentication RSA® Adaptive Auth. for eCommerce [RSA® Adaptive Directory](https://community.rsa.com/community/products/adaptive-directory) [RSA Archer® Suite](https://community.rsa.com/community/products/archer-grc) [RSA BSAFE®](https://community.rsa.com/community/products/bsafe) RSA® Data Loss Prevention (DLP) RSA® Data Protection Manager (DPM) RSA® Digital Certificate Solutions [RSA enVision®](https://community.rsa.com/community/products/envision) RSA® Federated Identity Manager (FIM) RSA® FraudAction Services RSA® Identity [Governance &](https://community.rsa.com/community/products/governance-and-lifecycle) Lifecycle RSA NetWitness® Endpoint RSA NetWitness® Logs & Packets [RSA SecurID® Suite](https://community.rsa.com/community/products/securid) RSA® Web Threat Detection **RSA University** RSA Archer® Suite Training RSA NetWitness® Suite Training RSA SecurID® Suite Training **[Support](https://community.rsa.com/community/support)** **[My RSA](https://rsaportal.force.com/customer/home/home.jsp)** **[RSA Labs](https://community.rsa.com/community/labs)** **[RSA Ready](https://community.rsa.com/community/products/rsa-ready)** **Activity** **Feed** **About RSA** **Link** **Terms &** **Conditions** **Submit** **Feedback** [Home | Top of page | Help](https://community.rsa.com/) [© 2018 Jive Software | Powered by ](http://www.jivesoftware.com/poweredby/) -----