A non-profit organization that supports human rights in Vietnam was the target of a multi-year campaign designed to spread various malware on compromised hosts.
Cybersecurity firm Huntress attributed the activity to a threat cluster known as APT32, a Vietnam-based hacking group also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty and OceanLotus. The invasion is believed to have lasted at least four years.
“This intrusion has a number of overlaps with known methods used by the APT32/OceanLotus threat actor and a known target demographic that matches the goals of APT32/OceanLotus,” security researchers Jai Minton and Craig Sweeney. said.
OceanLotusactive since at least 2012, has a history targeting companies and government networks in East Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia, with the ultimate goal of cyber espionage and intellectual property theft.
Attack chains usually to use phishing lures as an initial penetration vector to deliver backdoors capable of running arbitrary shellcode and collecting sensitive information. However, the group was also being watched orchestration drinking water companies back in 2018 to infect site visitors with intelligence payloads or harvest their credentials.
The latest set of attacks collected by Huntress involved four hosts, each of which was compromised to add different scheduled tasks and Windows registry keys responsible for launching Cobalt Strike Beacons, a backdoor that allows the theft of Google Chrome cookies for all user profiles on the system and loaders responsible for running the payloads of the embedded DLL.
The development came as South Korean users became the target of an campaign continues which likely uses phishing and vulnerable Microsoft Exchange servers to deliver reverse shells, backdoors, and VNC malware to gain control of infected machines and steal credentials stored in web browsers.