New APT32 Malware Campaign Targets Cambodian Government
Recorded Future’s Insikt Group has discovered a new malware campaign targeting the Cambodian government using an Association of Southeast Asian Nations (ASEAN)-themed spearphish. Using Recorded Future RAT controller detections and Network Traffic Analysis, Insikt Group identified new operational infrastructure that we attribute to the Vietnamese state-sponsored threat activity group APT32, also known as OceanLotus. This assessment is also supported by the identification of several Cambodian victim organizations communicating with this infrastructure, and aligns with previous campaigns targeting these organizations.
Vietnam and Cambodia have a long history of conflict, dating back to the Sino-Vietnamese War of the 1970’s, when Vietnam began retaliatory attacks on China’s “little brother,” Cambodia. In 2017, Vietnam started strengthening its cyber warfare capabilities with the formation of APT32, which targeted ASEAN’s website during the 2017 annual summit, as well as targeting websites of ministries or government agencies in Cambodia, Lao PDR, and the Philippines.
In recent years, the relationship between Vietnam and Cambodia has deteriorated in part because of China’s Belt and Road Initiatives (BRI) in the region. As Cambodian Prime Minister Hun Sen has grown closer to Chinese President Xi Jinping, the two have strengthened the partnerships between the two countries, pushing Vietnam out of critical regional cooperatives. Chinese investments in Cambodia include critical infrastructure, joint military exercises in the South China Sea, and a new property development just North of Ream Naval Base, strategically located on the Gulf of Thailand between Vietnam and Cambodia.
New APT32 Infrastructure
In June 2020, Insikt Group reported on new APT32 operational infrastructure identified through a proprietary method of tracking malware activity associated with APT32, such as METALJACK and DenisRAT. Using this same methodology, Insikt Group has continued to identify new, active APT32 IP addresses and associated domains.
Insikt researchers discovered several samples that are a part of this campaign:
Sample 1: The first sample is delivered via a malicious document titled, “បញ្ជីរាយនាមអនុព័ន្ធយោធាបរទេសនិងការិយាល័យសហប្រតិបត្តិការយោធាប្រចាំកម្ពុជា.docx~[.]exe”, which translates to “List of Foreign Military Attachments and Office of Military Cooperation in Cambodia.docx~[.]exe”. This sample, likely delivered via spearphishing, is a self-extracting archive (SFX) containing four files:
- A legitimate executable signed by Apple (SoftwareUpdate.exe).
- A related benign dynamic link library (DLL) file (SoftwareUpdateFiles.dll).
- A malicious DLL (SoftwareUpdateFilesLocalized.dll).
- A file named “SoftwareUpdateFiles.locale” containing encrypted shellcode.
Upon execution of the SFX, the Apple executable loads the benign DLL before loading the malicious DLL, which is stored in the SoftwareUpdateFiles.Resources/en.lproj file path. The malicious DLL then extracts the encrypted shellcode from the SoftwareUpdateFile.locale file and decrypts and executes it, while displaying a decoy document to the user (an Microsoft Word document displaying an “activation error”), eventually loading the final payload.
This loading process matches APT32 activity previously reported by Insikt Group and Ahnlab in relation to an APT32 sample referencing the 2020 ASEAN Summit. Further analysis of these artifacts for identification of the malware family is ongoing within Insikt Group and updates will be posted as more samples are analyzed.
Sample 2: A second sample, uploaded to a malware repository on October 22, 2020, uses this same loading process and communicates with one of the identified C2 domains, cloud.bussinesappinstant[.]com.
In this sample, the SFX file is called “9_Programme_SOMCA-Japan_FINAL.docx~.exe”, likely in reference to the ASEAN Senior Officials Meeting for Culture and Arts (SOMCA), indicating APT32’s continued interest in the targeting of ASEAN and other member states.
This archive file drops the same “SoftwareUpdateFilesLocalized.dll” file seen in the previous sample. In addition to the TTP (tactics, techniques, procedures) and infrastructure overlaps, the malicious DLLs linked to this latest sample share an identical rich header and import hash seen in historical APT32 samples.
Insikt Group identified further evidence of targeting of Cambodia through several IP addresses assigned to a Cambodian government organization regularly communicating with the APT32 C2 IP address 43.254.132[.]212.