Today > vulnerabilities   -   You can now download lists of IOCs here!

Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

Sept. 3, 2024, 8:12 a.m.

Tags
backdoor
apt
cobalt strike
persistence
steganography
vietnam
2024-09-03
dll side-loading
com hijacking
human rights
External References
Description

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved multiple persistence mechanisms, including scheduled tasks, COM object hijacking, and DLL side-loading. Various malware families were employed, such as backdoors using steganography and Java-based loaders. The attackers utilized Cobalt Strike for command and control, masquerading domains, and infrastructure designed to evade detection. This case highlights the persistent threats faced by human rights organizations from sophisticated state-sponsored actors.

Date

Published: Sept. 3, 2024, 8:02 a.m.

Created: Sept. 3, 2024, 8:02 a.m.

Modified: Sept. 3, 2024, 8:12 a.m.

Indicators

f8773628cdeb821bd7a1c7235bb855e9b41aa808fed1510418a7461f7b82fd6c

efc373b0cda3f426d25085938cd02b7344098e773037a70404c6028c76cc16fc

ea8a00813853038820ba50360c5c1d57a47d72237e3f76c581d316f0f1c6e85f

c7e2dbc3df04554daa19ef125bc07a6fa52b5ea0ba010f187a082dc9fc2e97ed

c03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf9595

b31bfa8782cb691178081d6685d8429a2a2787b1130c6620d3486b4c3e02d441

aa69c6c22f1931d90032a2d825dbee266954fac33f16c6f9ce7714e012404ec1

aa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4f4

a79ced63bdf0ea69d84153b926450cf3119bdea4426476b37dfde2a48a6ede0a

a6072e7b0fafb5f09fd02c37328091abfede86c7c8cb802852985a37147bfa19

a217fe01b34479c71d3a7a524cb3857809e575cd223d2dd6666cdd47bd286cd6

a166751b82eac59a44fd54cf74295e71e7e95474fc038fc8cca069da05158586

8e2e9e7b93f4ed67377f7b9df9523c695f1d7e768c3301db6c653948766ff4c3

82e94417a4c4a6a0be843ddc60f5e595733ed99bbfed6ac508a5ac6d4dd31813

735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1

6cf19d0582c6c31b9e198cd0a3d714b397484a3b16518981d935af9fd6cdb2eb

6c08a004a915ade561aee4a4bec7dc588c185bd945621ec8468575a399ab81f4

6719175208cb6d630cf0307f31e41e0e0308988c57772f25494c9d2a2b84e2a1

47af8a33aac2e70ab6491a4c0a94fd7840ff8014ad43b441d01bfaf9bf6c4ab7

47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a891

29863f612d2da283148cb327a1d57d0a658d75c8e65f9ef4e5b19835855e981e

1bd17369848c297fb30e424e613c10ccae44aa0556b9c88f6bf51d84d2cbf327

09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195856

51.81.29.44

5.230.35.192

46.183.223.79

193.107.109.148

185.43.220.188

185.198.57.184

176.103.63.48

91.231.182.18

you.can-get-no.info

var.alieras.com

ww1.erabend.com

priv.manuelleake.com

kpi.msccloudapp.com

kpi.adcconnect.me

hx-in-f211.popfan.org

get.dupbleanalytics.net

fbcn.enantor.com

cds55.lax8.setalz.com

cdn.arlialter.com

blank.eatherurg.com

base.msteamsapi.com

adobe.riceaub.com

Download all indicators here!

Attack Patterns

Cobalt Strike - S0154

APT32/OceanLotus

Additional Informations

NGO