APT32

APT32, also recognized as the OceanLotus Group, is not new on threat scenario. Its attacks started been reported by security researchers since 2014. The main targets of the APT32 attacks are various countries' governmental entities, journalists, private-owned industries and people against official policy. There are APT32 attacks reported in Cambodia, Philippines, Vietnam, and Laos, which points to the APT32 Group to based in Vietnam. To avoid detection, the APT32 attack includes useless code so that security programs will be fooled. To exchange information with its Command and Control server, APT32 uses port 80. The APT32 attack can collect login data by usingGetPassword_x64 and Mimikatz. It also executes genuine executables from McAfee and Symantec to load a corrupted DLL and can collect a list of the files and directories on the infected computer. The tasks and tricks used by the APT32 attacks are so many that it is not easy to enumerate them.

To gain access to a computer, the APT32 attack uses social engineering and spear-phishing emails to trick its victims into enabling macros from ActiveMime files. If the victims agree, the downloaded file will transfer several corrupted files from remote servers into the infected machine. The APT32 attack also can monitor the messages and emails to be aware of who have fallen for its tricks. The APT32 attacks are extremely hard to detect because it uses misleading methods to mix their activities with the victims' activities. The poor defensive techniques used by numerous governmental and private corporations to protect their computers and data are a full plate for criminals like the ones behind the APT32 Group since they can invade these machines easily, collect essential data and do whatever they want with it.