TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

APT Targeting Vietnamese Human Rights Defenders | Huntress

2024-08-28 · Read original ↗

ATT&CK techniques detected

45 predictions
T1053.005Scheduled Task
100%
": - jar c : \ users \ < redacted > \ appdata \ roaming \ adobe \ acrobat \ adobe. jar mi54giwp this scheduled task referenced a malicious java archive ( jar ) file which was specifically created for the user and system in question. the malware contained a hard - coded reference t…"
T1053.005Scheduled Task
100%
"a month following the node addon being launched we observed a scheduled task creation spawning from the node. exe process. c : \ programdata \ adobe \ node. exe - e require ( ' c : \ \ programdata \ \ adobe \ \ 1lpiozkc. node ' ) process : c : \ windows \ system32 \ cmd. exe / c …"
T1053.005Scheduled Task
100%
"\ microsoft \ windows \ cloudstore \ mssharepoint. vbs this scheduled task contained a different user sid than the one found in the adobeupdatetaskuser scheduled task. the mssharepoint. vbs script was designed to use a private key already placed on disk, authenticate to a remote …"
T1053.005Scheduled Task
100%
"one seen previously ( msteamsapi [. ] com ) and the subdomain also had overlap with a subdomain seen on host 4. host 3 persistence mechanism shortly after performing named pipe impersonation on host 2, a command was run using the same cobalt strike beacon in an attempt to create …"
T1053.005Scheduled Task
100%
"} / tr " c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ windows \ cloudstore \ cloud. bat " / f scheduled task 4 handler { 60396 - 307392 - 03497 - 03790 - 3702046 } executable : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ windows \ cloudstore \ clo…"
T1547.001Registry Run Keys / Startup Folder
100%
"##version \ run registry entry value : wdiservicehost registry entry data : c : \ users \ < redacted > \ appdata \ roaming \ wdiservicehost _ 339453944 \ wdiservicehost. exe a second run key was found on host 1 referencing an apple software binary ( softwareupdate. exe ) with a r…"
T1053.005Scheduled Task
100%
"% g \ cookies " / y host 2 persistence mechanism a separate host, host 2, had remote commands run via windows management instrumentation to execute a batch script approximately 1. 5 months after the first observed action on host 1. this batch script was used to query processes ru…"
T1053.005Scheduled Task
100%
"task creation and modification timestamps indicate it was first set up in june of 2020. the startboundary within the xml file used for this scheduled task also had a timestamp value of 2020 - 01 - 01t00 : 00 : 00 indicating that the task was expected to be run from the start of 2…"
T1053.005Scheduled Task
99%
"##acted > \ appdata \ roaming \ microsoft \ installer \ { 02594fe8 - 1152 - e41e - a75e - 923494c7b453 } \ dropboxupdate. exe command : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ installer \ { 02594fe8 - 1152 - e41e - a75e - 923494c7b453 } \ dropboxupdate. exe /…"
T1053.005Scheduled Task
99%
"minute / mo 300 / tn handler { 60396 - 307392 - 03497 - 03790 - 3702046 } / tr " % appdata % \ microsoft \ windows \ cloudstore \ cloud. bat " / f it was found that this process was being launched from another scheduled task that was previously setup prior to huntress deployment.…"
T1055.001Dynamic-link Library Injection
99%
"is significant because these operations, the entry point, and the address of the function to be run are all identical to the previously mentioned malware submitted to virustotal which is tied to apt32 / oceanlotus. a closer inspection showed that this file was actually identical …"
T1053.005Scheduled Task
99%
"##lotus _ issutil _ sep18. although this match was a false positive, a malicious sample was found on virustotal matching this rule, which was submitted with the names iisutil. dll and iisutil2. dll. this sample has been flagged by some av engines as being tied to apt32 / oceanlot…"
T1053.005Scheduled Task
98%
"##ecutable : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ calibre. exe shortly after this, a command was run to invoke the calibre executable. wmic / node : < redacted > / user : < redacted > / password : < redacted > process call create " cmd.…"
T1053.005Scheduled Task
98%
"1 executable : c : \ windows \ system32 \ wscript. exe arguments : / nologo / e : vbscript c : \ programdata \ appdata \ roaming \ adobe \ updater \ scheduler \ scheduler. ps1 : log. txt the referenced scheduler. ps1 : log. txt, is an alternate data stream named log. txt within a…"
T1053.005Scheduled Task
98%
"acrobat update task executable : c : \ program files ( x86 ) \ common files \ adobe \ arm \ 1. 0 \ adobearm. exe scheduled task 2 microsoftone \ uptodate executable : c : \ programdata \ microsoft \ appv \ ins - findstr. exe scheduled task 3 adobe acrobat update task _ v2 executa…"
T1053.005Scheduled Task
96%
"management services client \ ad rms rights policy template management ( automated ) _ { 2a918d97 - ccfe - 4be6 - ab0e - d56a2e3f503d } description : updates the ad rms rights policy templates for the user. this job does not provide a credential prompt if authentication to the tem…"
T1055.001Dynamic-link Library Injection
94%
"##ble cobalt strike profiles and is commonly seen when running the ‘ getsystem ’ command from cobalt strike. c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ calibre. exe parent : c : \ windows \ sysnative \ gpupdate. exe process : c : \ windows \ …"
T1574.001DLL
94%
"cachuri. dll set to run as a com object would explicitly import and run code from iisutil2. dll. although iisutil2. dll had almost identical information as a signed, valid copy of iisutil. dll, this had been patched to run different code, and was modified to increase the file siz…"
T1539Steal Web Session Cookie
93%
"found on host 1 referencing a batch script called connection. bat. this had identical functionality to mssharepoint. vbs except it launched powershell to run sftp rather than a vbs script. run key 3 registry key : hku \ < sid > \ software \ microsoft \ windows \ currentversion \ …"
T1053.005Scheduled Task
92%
"tr " c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ calibre. exe " / f scheduled task 1 microsoft \ windows \ windowscolorsystem \ calibration _ update executable : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ …"
T1055.001Dynamic-link Library Injection
92%
"a dropboxupdate task pointing to a legitimate executable. although dropboxupdate doesn ’ t directly import and use goopdate. dll, this is indirectly called and loaded by dropboxupdate which is then used to load a malicious dropboxupdate. bin file in the same directory as shown be…"
T1505.004IIS Components
91%
"back to at least 2013. this has been reported by companies such as google, the electronic frontier foundation, amnesty international, and a large number of other security vendors. during our investigation a number of overlaps were found between known techniques used by apt32 / oc…"
T1053.005Scheduled Task
90%
"notable given apt32 / oceanlotus has previously used this technique throughout their intrusions. the host was also found to have another four scheduled tasks which were masquerading as various services with identical descriptions. these tasks had a similar naming convention to pr…"
T1574.001DLL
89%
"##ed - 4b12 - 936a - c8715d2d2c0e executable : c : \ users \ < redacted > \ appdata \ roaming \ adobe \ bin \ javaw. exe arguments : - jar c : \ users \ < redacted > \ appdata \ roaming \ adobe \ msadobe. jar zfhqq01v ) further analysis on msadobe. jar is mentioned in the followi…"
T1574.001DLL
84%
"##l are named after a subset of exports found in a legitimate tpmvsc. dll usually found on windows. after execution, this would get a handle to kernel32. dll to get the address of modules to be used and check to see if kaspersky av was running on the system ( avp. exe ) and avg (…"
T1036.004Masquerade Task or Service
84%
"notable given apt32 / oceanlotus has previously used this technique throughout their intrusions. the host was also found to have another four scheduled tasks which were masquerading as various services with identical descriptions. these tasks had a similar naming convention to pr…"
T1055.001Dynamic-link Library Injection
79%
"then evaluated prior to injection. no specific overlaps were seen with previously reported malicious goopdate. dll files used by apt32 / oceanlotus. despite this facebook, cybereason, and volexity have all previously reported the use of apt32 / oceanlotus using a malicious goopda…"
T1547.001Registry Run Keys / Startup Folder
78%
"action, but speculate it may have been to ensure execution of malware on a remote system or to ensure any system configuration changes are applied. over the next few months, various discovery commands were performed to ensure access to remote workstations from host 1. actions wer…"
T1053.005Scheduled Task
77%
"multiple signal clusters, and statistical anomalies. the huntress managed edr consistently identifies persistent footholds on a system. this allows threat hunters to locate anomalies where a persistent foothold may be found on a small subset of the systems protected by huntress. …"
T1071.001Web Protocols
77%
"methods options, get, head, post whenever an options request was sent. this is significant because the same behavior is expected when you ’ re interacting with a cobalt strike team server as previously reported by palo alto networks. the combination of specific response headers a…"
T1027.003Steganography
75%
"make a call to the windows cryptdecrypt api to decrypt and load the final dll into memory. the use of a custom steganography routine to hide malicious code in a seemingly benign png file, in addition to use of a xor key and compression, has overlap with the previously mentioned s…"
T1583.001Domains
75%
"running the com object backdoor. passive dns information for the ip address 185. 198. 57 [. ] 184 showed that domains mentioned in the security researcher ’ s blog from 2019 resolved to this ip address. this helps to validate that the malware described in their blog is the same m…"
T1053.005Scheduled Task
73%
". - port 8888 and 8531 were used within the malware c2 configuration. the com object backdoor aligns with public reporting by a security researcher from 2019 where the final payload contained eight possible c2 server addresses with identical port numbers. - the use of hardcoded c…"
T1055.001Dynamic-link Library Injection
51%
"mdb and tpminit. mdf on disk if they ’ re not present before terminating, at which point these files will no longer be modified. although it ’ s unknown whether this executable was related to the same intrusion, modification timestamps indicate this malware may have been present …"
T1071Application Layer Protocol
47%
". - port 8888 and 8531 were used within the malware c2 configuration. the com object backdoor aligns with public reporting by a security researcher from 2019 where the final payload contained eight possible c2 server addresses with identical port numbers. - the use of hardcoded c…"
T1574.001DLL
46%
"##eason, and volexity have all reported the use of apt32 / oceanlotus using a malicious goopdate. dll loading into a benign executable. - apt32 / oceanlotus has been known to use unique clsids, binary padding, compression, and scheduled tasks in their intrusions as reported by es…"
T1195.002Compromise Software Supply Chain
45%
"used cobalt strike servers behind cloudflare as reported by cybereason and volexity - apt32 / oceanlotus has previously used the apple software update binary to sideload malicious dll ’ s as reported by recorded future. - apt32 / oceanlotus has previously heavily used let ’ s enc…"
T1036.004Masquerade Task or Service
44%
"##ecutable : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ calibre. exe shortly after this, a command was run to invoke the calibre executable. wmic / node : < redacted > / user : < redacted > / password : < redacted > process call create " cmd.…"
T1053.005Scheduled Task
42%
"##mi / priv weeks following this command we observed a new service created to run a legitimate node executable. this executable was set to launch a malicious node addon binary to evade detection on the system. service 1 adobe _ reader executable : c : \ programdata \ adobe \ node…"
T1559.001Component Object Model
42%
". - port 8888 and 8531 were used within the malware c2 configuration. the com object backdoor aligns with public reporting by a security researcher from 2019 where the final payload contained eight possible c2 server addresses with identical port numbers. - the use of hardcoded c…"
T1553.002Code Signing
37%
"##l are named after a subset of exports found in a legitimate tpmvsc. dll usually found on windows. after execution, this would get a handle to kernel32. dll to get the address of modules to be used and check to see if kaspersky av was running on the system ( avp. exe ) and avg (…"
T1071Application Layer Protocol
36%
"back to at least 2013. this has been reported by companies such as google, the electronic frontier foundation, amnesty international, and a large number of other security vendors. during our investigation a number of overlaps were found between known techniques used by apt32 / oc…"
T1218.011Rundll32
35%
"mdb and tpminit. mdf on disk if they ’ re not present before terminating, at which point these files will no longer be modified. although it ’ s unknown whether this executable was related to the same intrusion, modification timestamps indicate this malware may have been present …"
T1036.004Masquerade Task or Service
33%
"acrobat update task executable : c : \ program files ( x86 ) \ common files \ adobe \ arm \ 1. 0 \ adobearm. exe scheduled task 2 microsoftone \ uptodate executable : c : \ programdata \ microsoft \ appv \ ins - findstr. exe scheduled task 3 adobe acrobat update task _ v2 executa…"
T1055.001Dynamic-link Library Injection
31%
"tr " c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ calibre. exe " / f scheduled task 1 microsoft \ windows \ windowscolorsystem \ calibration _ update executable : c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ spmigration \ bin \ …"

Summary

Huntress identified an intrusion against a non-profit supporting Vietnamese human rights that’s likely spanned years. Jump in as we provide a thorough analysis of this malicious threat actor.