Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

Sept. 3, 2024, 8:12 a.m.

Description

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved multiple persistence mechanisms, including scheduled tasks, COM object hijacking, and DLL side-loading. Various malware families were employed, such as backdoors using steganography and Java-based loaders. The attackers utilized Cobalt Strike for command and control, masquerading domains, and infrastructure designed to evade detection. This case highlights the persistent threats faced by human rights organizations from sophisticated state-sponsored actors.

External References

https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
https://otx.alienvault.com/pulse/66d6c298ada96e8b7e91f817
Tags
backdoor
apt
cobalt strike
persistence
steganography
vietnam
2024-09-03
dll side-loading
com hijacking
human rights

Date

  • Created: Sept. 3, 2024, 8:02 a.m.
  • Published: Sept. 3, 2024, 8:02 a.m.
  • Modified: Sept. 3, 2024, 8:12 a.m.

Indicators

  • f8773628cdeb821bd7a1c7235bb855e9b41aa808fed1510418a7461f7b82fd6c
  • efc373b0cda3f426d25085938cd02b7344098e773037a70404c6028c76cc16fc
  • ea8a00813853038820ba50360c5c1d57a47d72237e3f76c581d316f0f1c6e85f
  • c7e2dbc3df04554daa19ef125bc07a6fa52b5ea0ba010f187a082dc9fc2e97ed
  • c03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf9595
  • b31bfa8782cb691178081d6685d8429a2a2787b1130c6620d3486b4c3e02d441
  • aa69c6c22f1931d90032a2d825dbee266954fac33f16c6f9ce7714e012404ec1
  • aa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4f4
  • a79ced63bdf0ea69d84153b926450cf3119bdea4426476b37dfde2a48a6ede0a
  • a6072e7b0fafb5f09fd02c37328091abfede86c7c8cb802852985a37147bfa19
  • a217fe01b34479c71d3a7a524cb3857809e575cd223d2dd6666cdd47bd286cd6
  • a166751b82eac59a44fd54cf74295e71e7e95474fc038fc8cca069da05158586
  • 8e2e9e7b93f4ed67377f7b9df9523c695f1d7e768c3301db6c653948766ff4c3
  • 82e94417a4c4a6a0be843ddc60f5e595733ed99bbfed6ac508a5ac6d4dd31813
  • 735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1
  • 6cf19d0582c6c31b9e198cd0a3d714b397484a3b16518981d935af9fd6cdb2eb
  • 6c08a004a915ade561aee4a4bec7dc588c185bd945621ec8468575a399ab81f4
  • 6719175208cb6d630cf0307f31e41e0e0308988c57772f25494c9d2a2b84e2a1
  • 47af8a33aac2e70ab6491a4c0a94fd7840ff8014ad43b441d01bfaf9bf6c4ab7
  • 47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc
  • 300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a891
  • 29863f612d2da283148cb327a1d57d0a658d75c8e65f9ef4e5b19835855e981e
  • 1bd17369848c297fb30e424e613c10ccae44aa0556b9c88f6bf51d84d2cbf327
  • 09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195856
  • 51.81.29.44
  • 5.230.35.192
  • 46.183.223.79
  • 193.107.109.148
  • 185.43.220.188
  • 185.198.57.184
  • 176.103.63.48
  • 91.231.182.18
  • you.can-get-no.info
  • var.alieras.com
  • ww1.erabend.com
  • priv.manuelleake.com
  • kpi.msccloudapp.com
  • kpi.adcconnect.me
  • hx-in-f211.popfan.org
  • get.dupbleanalytics.net
  • fbcn.enantor.com
  • cds55.lax8.setalz.com
  • cdn.arlialter.com
  • blank.eatherurg.com
  • base.msteamsapi.com
  • adobe.riceaub.com
Download all indicators here!

Attack Patterns

  • Cobalt Strike - S0154
  • APT32/OceanLotus

Additional Informations

  • NGO