Vietnamese State-Backed Hackers Using Cryptocurrency Mining Malware, Microsoft Reports
APT32 Deploys Monero Coin Miners in Cyber-espionage Campaigns
Microsoft has uncovered evidence that Vietnamese state-backed hackers, known as APT32 or Ocean Lotus, have been using cryptocurrency mining malware to monetize the networks of organizations they are targeting for cyber-espionage activities. APT32, also known as BISMUTH, has a history of conducting sophisticated cyber-espionage campaigns targeting a wide range of industries and government entities.
According to Microsoft, from July to August 2020, APT32 deployed Monero coin miners in attacks against private and public sector organizations in France and Vietnam. This tactic may be an attempt by the group to generate additional revenue alongside their espionage activities, or to conceal their more nefarious actions behind seemingly less alarming threats.
Microsoft stated in a blog post, “The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware.” This strategy of blending in with common malware infections highlights the need for organizations to treat all cybersecurity incidents with urgency and thorough investigation.
Blending In with Spear-phishing and DLL Side-loading
APT32 has employed various tactics to blend in with legitimate activities and evade detection. One such tactic is targeting only one individual within an organization with spear-phishing emails, sometimes engaging in correspondence with the victim to encourage them to open malicious attachments. Additionally, the group has utilized DLL side-loading through outdated applications like Microsoft Defender Antivirus to avoid detection.
Microsoft noted, “Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions.” The group also relied on evasive PowerShell scripts to conceal their activities.
Protecting Against APT32 Threats
Organizations targeted by APT32 should focus on reducing their attack surface through user education, disabling Macros, enhancing email filters, and implementing other cybersecurity best practices. Improving credential hygiene with multi-factor authentication (MFA) and employing intrusion detection systems, firewalls, and other security tools can help prevent APT32 from gaining a foothold in networks.
By remaining vigilant and proactive in their cybersecurity efforts, organizations can better defend against the sophisticated tactics of state-backed hacking groups like APT32.