Home Governance Vietnam’s APT32 Group Uses COVID-19 to Target Chinese Health Authorities

Vietnam’s APT32 Group Uses COVID-19 to Target Chinese Health Authorities

776
0
SHARE
Phishing Attack
SHARE

According to a report from Fireeye, the Vietnamese threat group APT32 is suspected to have carried out a series of attacks aimed at the Wuhan province government and China’s Ministry of Emergency Management to collect intelligence on the COVID-19 crisis. The researchers noted that the attackers targeted multiple users through a spear-phishing campaign run from at least January to April 2020.

The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict.

– Fireeye

Brief History of APT32

APT32 aka OceanLotus or APT-C-00, is suspected to be backed by the Vietnamese government. APT32 is popularly known to carry out cyber espionage campaigns against companies and countries doing business, manufacturing, or preparing to invest in Vietnam. The threat actors leverage a phishing mail to initiate an attack that contains ActiveMime files. They make use of social engineering as a bait to lure the victim into enabling the macros. Once executed, the initialized file downloads multiple malicious payloads like Soundbite, Windshield, Phoreal, Beacon, and Komprogo from a remote server.

Phishing Emails with Tracking Links

The first phishing attack was traced to January 6, 2020, when APT32 sent an email to China’s Ministry of Emergency Management using the sender address as [email protected][.]com and the subject 第一期办公设备招标结果报告 (translation: Report on the first-quarter results of office equipment bids). The email’s content had an embedded link that sent the victim’s email address and codes back to the threat actors indicating them that the email was opened.

phishing, APT32
Figure: Phishing email to China’s Ministry of Emergency Management (Image Source: Fireeye)

Researchers also found that the libjs.inquirerjs[.]com domain was being used since December as a C2 domain for a METALJACK phishing campaign to target Southeast Asian countries. APT32 likely used COVID-19-themed malicious attachments in Chinese-Language as a decoy to drop a METALJACK payload.

Threat Summary
Threat Group APT32
Threat type Spear-phishing, phishing
Payload Name METALJACK
Target Audience South-east Asia, Chinese speaking
Campaign Active Since From at least January 2020
Domain Indicators ·    m.topiccore[.]com

·    jcdn.jsoid[.]com

·    libjs.inquirerjs[.]com

·    vitlescaux[.]com

Email Address Used [email protected][.]com
Malicious File Names MD5: d739f10933c11bd6bd9677f91893986c – METALJACK loader

MD5: a4808a329b071a1a37b8d03b1305b0cb – METALJACK Payload

MD5: c5b98b77810c5619d20b71791b820529 – Decoy Document (Not Malicious)

Damages caused Intellectual and confidential COVID-19 related state and government data can be compromised. Additional trojans and malware infections can be installed to exfiltrate data in future.

 

Researchers added that, “The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted. Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally.”

SHARE

Subscribe Now to receive Free Newsletter

* indicates required


By submitting this form, you are consenting to receive marketing emails from: EC-Council, 101 C Sun Ave. NE, Albuquerque, NM, 87109, http://www.eccouncil.org. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact