Recorded Future’s Insikt Group has discovered a new malware campaign targeting the Cambodian government using an Association of Southeast Asian Nations (ASEAN)-themed spearphish. Using Recorded Future RAT controller detections and Network Traffic Analysis, Insikt Group identified new operational infrastructure that we attribute to the Vietnamese state-sponsored threat activity group APT32, also known as OceanLotus. This assessment is also supported by the identification of several Cambodian victim organizations communicating with this infrastructure, and aligns with previous campaigns targeting these organizations.

History

Le Vietnam et le Cambodge ont une longue histoire de conflits, qui remonte à la guerre sino-vietnamienne des années 1970, lorsque le Vietnam a lancé des attaques en représailles contre le Cambodge, considéré comme le « petit frère » de la Chine. En 2017, le Vietnam a commencé à renforcer ses capacités en matière de cyberguerre avec la création de l'APT32, qui a pris pour cible le site web de l'ASEAN lors du sommet annuel de 2017, ainsi que les sites web de ministères ou d'agences gouvernementales au Cambodge, en République démocratique populaire lao et aux Philippines. Ces dernières années, les relations entre le Vietnam et le Cambodge se sont détériorées, en partie à cause de l'initiative chinoise « Belt and Road » (BRI) dans la région. À mesure que le Premier ministre cambodgien Hun Sen s'est rapproché du président chinois Xi Jinping, les deux hommes ont renforcé les partenariats entre leurs deux pays, écartant le Vietnam des coopérations régionales essentielles. Les investissements chinois au Cambodge comprennent des infrastructures essentielles, des exercices militaires conjoints en mer de Chine méridionale et un nouveau projet immobilier juste au nord de la base navale de Ream, stratégiquement située dans le golfe de Thaïlande, entre le Vietnam et le Cambodge.

New APT32 Infrastructure

In June 2020, Insikt Group reported on new APT32 operational infrastructure identified through a proprietary method of tracking malware activity associated with APT32, such as METALJACK and DenisRAT. Using this same methodology, Insikt Group has continued to identify new, active APT32 IP addresses and associated domains. Insikt researchers discovered several samples that are a part of this campaign: Sample 1: The first sample is delivered via a malicious document titled, “បញ្ជីរាយនាមអនុព័ន្ធយោធាបរទេសនិងការិយាល័យសហប្រតិបត្តិការយោធាប្រចាំកម្ពុជា.docx [.]exe”, which translates to “List of Foreign Military Attachments and Office of Military Cooperation in Cambodia.docx[.]exe”. This sample, likely delivered via spearphishing, is a self-extracting archive (SFX) containing four files:

1. A legitimate executable signed by Apple (SoftwareUpdate.exe).
2. A related benign dynamic link library (DLL) file (SoftwareUpdateFiles.dll).
3. A malicious DLL (SoftwareUpdateFilesLocalized.dll).
4. A file named “SoftwareUpdateFiles.locale” containing encrypted shellcode.

Upon execution of the SFX, the Apple executable loads the benign DLL before loading the malicious DLL, which is stored in the SoftwareUpdateFiles.Resources/en.lproj file path. The malicious DLL then extracts the encrypted shellcode from the SoftwareUpdateFile.locale file and decrypts and executes it, while displaying a decoy document to the user (an Microsoft Word document displaying an “activation error”), eventually loading the final payload.

Ce processus de chargement correspond à l'activité APT32 précédemment signalée par Insikt Group et Ahnlab en relation avec un échantillon APT32 faisant référence au sommet de l'ASEAN 2020. Une analyse plus approfondie de ces artefacts visant à identifier la famille de logiciels malveillants est en cours au sein de l'Insikt Group. Des mises à jour seront publiées à mesure que d'autres échantillons seront analysés.

Sample 2: A second sample, uploaded to a malware repository on October 22, 2020, uses this same loading process and communicates with one of the identified C2 domains, cloud.bussinesappinstant[.]com.

In this sample, the SFX file is called “9_Programme_SOMCA-Japan_FINAL.docx~.exe”, likely in reference to the ASEAN Senior Officials Meeting for Culture and Arts (SOMCA), indicating APT32’s continued interest in the targeting of ASEAN and other member states.

Decoy document utilized in this campaign shows a blank agenda for the “Seventh Meeting of the ASEAN Plus Japan Senior Officials on Culture and Arts. (Source: Recorded Future)

This archive file drops the same “SoftwareUpdateFilesLocalized.dll” file seen in the previous sample. In addition to the TTP (tactics, techniques, procedures) and infrastructure overlaps, the malicious DLLs linked to this latest sample share an identical rich header and import hash seen in historical APT32 samples.

Insikt Group identified further evidence of targeting of Cambodia through several IP addresses assigned to a Cambodian government organization regularly communicating with the APT32 C2 IP address 43.254.132[.]212.