BadCake

The APT32 (Advanced Persistent Threat) is a cybercrime organization that is believed to hail from Vietnam. These cyber crooks are known to operate since 2013, and they have been introducing regular updates to their hacking arsenal, as well as setting up new infrastructure and projects. APT32 also is known as Ocean Lotus and it tends to go after high-profile targets. This hacking group is known to target dissidents and journalists, as well as political and business organizations. Most of the attacks launched by APT32 are usually concentrated in the South East Asian region – the Philippines, Cambodia, Laos and others. APT32 has a broad arsenal of hacking tools, which allow them to carry out long-term surveillance campaigns and data-exfiltration operations. Among the most notable hacking tools in APT32’s arsenal, is the BadCake threat – a custom-built backdoor Trojan.

According to reports, the BadCake backdoor Trojan is propagated via spear-phishing emails targeting certain individuals. Another infection vector used in the distribution of the BadCake Trojan is watering hole attacks. As soon as the BadCake backdoor Trojan infiltrates the targeted computer, it will begin collecting data regarding the software and hardware of the system. The BadCake Trojan would allow APT32 to change the host’s settings by executing certain arbitrary commands. This allows the BadCake Trojan to compromise and incapacitate the security measures of the system. Since the BadCake Trojan also can serve as a backdoor, it allows the attackers to plant additional malware that would serve as secondary payloads.

The BadCake Trojan appears to be utilized for long-term reconnaissance operations. This is why the threat is programmed to gain persistence on the infected host. The BadCake backdoor Trojan is able to gain persistence by either creating a Scheduled Task on the system or a fake Windows Service. The BadCake malware would utilize DGA (Domain Generation Algorithm) to launch subdomains, which operate via C&C (Command & Control) servers that are hardcoded. This allows the BadCake Trojan to run every time the victim reboots their PC.

APT32 is using the BadCake backdoor Trojan in unison with two publicly available hacking tools – the Mimikatz malware and the Cobalt Strike threat. The former is used for collecting login credentials from its targets, while the latter serves as a post-exploitation framework.

APT32 is a well-known hacking group, which has been active for a while and is likely going to continue to endanger certain targets in the South East Asian region. Do not forget to protect your computer with a genuine, reputable anti-malware suite.