APT32

APT / StateG0050
OriginVietnã
Techniques (MITRE ATT&CK)78
SourceMITRE ATT&CK
Also known as:SeaLotusOceanLotusAPT-C-00Canvas CycloneBISMUTH

Vexday analysis

APT32, também conhecido como OceanLotus, SeaLotus, BISMUTH e Canvas Cyclone (identificador MITRE ATT&CK G0050), é um grupo de ameaça persistente avançada de origem vietnamita ativo pelo menos desde 2014. O grupo tem como alvos múltiplos setores da iniciativa privada, governos estrangeiros, dissidentes e jornalistas, com forte concentração em países do Sudeste Asiático como Vietnã, Filipinas, Laos e Camboja. Entre seus métodos, destaca-se o uso extensivo de comprometimentos estratégicos de sites para atingir vítimas, com 78 técnicas documentadas no MITRE ATT&CK e 2 CVEs atribuídas ao grupo.

Techniques (MITRE ATT&CK) 78

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance
Gather Victim Identity InformationEmail AddressesSpearphishing Link
Resource development
DomainsWeb ServicesSocial Media AccountsToolUpload MalwareDrive-by Target
Initial access
Drive-by CompromiseSpearphishing AttachmentSpearphishing Link
Execution
Windows Management InstrumentationScheduled TaskCommand and Scripting InterpreterPowerShellWindows Command ShellVisual BasicJavaScriptSoftware Deployment ToolsExploitation for Client ExecutionMalicious LinkMalicious FileService Execution
Persistence
Office Application StartupWeb ShellWindows ServiceRegistry Run Keys / Startup Folder
Privilege escalation
Exploitation for Privilege Escalation
Credential access
OS Credential DumpingLSASS MemoryCredentials in Registry
Discovery
Query RegistrySystem Network Configuration DiscoveryRemote System DiscoverySystem Owner/User DiscoveryNetwork Service DiscoverySystem Network Connections DiscoverySystem Information DiscoveryFile and Directory DiscoveryLocal AccountNetwork Share Discovery
Lateral movement
SMB/Windows Admin SharesPass the HashPass the TicketLateral Tool Transfer
Collection
KeyloggingArchive Collected Data
Command and control
Web ProtocolsMail ProtocolsWeb ServiceIngress Tool TransferNon-Standard Port
Exfiltration
Exfiltration Over C2 ChannelExfiltration Over Unencrypted Non-C2 Protocol
defense-impairment
Modify RegistryLinux and Mac PermissionsClear Windows Event Logs
stealth
Command ObfuscationFileless StorageEncrypted/Encoded FileJunk Code InsertionMasqueradingRename Legitimate UtilitiesMasquerade Task or ServiceMatch Legitimate Resource Name or LocationProcess InjectionFile DeletionTimestompLocal AccountsPubPrnMshtaRegsvr32Rundll32Hidden Files and DirectoriesHidden WindowNTFS File AttributesDLL

Exploited vulnerabilities 2

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2017-11882HIGHEPSS 100%KEVCVE-2016-7255HIGHEPSS 81%KEV

APT32 uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →