[vc_row][vc_column][vc_column_text]APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. According to MITRE ATT&CK, they have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based
According to FireEye, cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column css=”.vc_custom_1585141101660{background-color: #000000 !important;}”][vc_column_text css=”.vc_custom_1585140619464{background-color: #000000 !important;}”]<?xml version=”1.0″ encoding=”us-ascii”?>
<ioc xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” id=”0911e54f-3eab-469d-9c22-3decf48232bc” last-modified=”2020-03-17T17:49:39″ xmlns=”http://schemas.mandiant.com/2010/ioc”>
<short_description>APT32 IOC</short_description>
<authored_by>Ali Amiri</authored_by>
<authored_date>2020-03-17T17:31:39</authored_date>
<links />
<definition>
<Indicator operator=”OR” id=”d6f61483-851c-4a18-904e-96b23472ba78″>
<IndicatorItem id=”17f7f047-07bb-4f9d-815c-607e9b529ee8″ condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”> http://enum.arkoorr.com</Content>
</IndicatorItem>
<IndicatorItem id=”8f4ea10e-8333-4f75-921d-7b63fb1b7a2b” condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”> http://worker.baraeme.com</Content>
</IndicatorItem>
<IndicatorItem id=”bf9ce7f4-5f15-4e11-8f05-74dbc5aad6e5″ condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”>http://plan.evillese.com</Content>
</IndicatorItem>
<IndicatorItem id=”b8d58640-c7bb-4491-bc05-07aa0ca2b77e” condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”> http://background.ristians.com</Content>
</IndicatorItem>
<IndicatorItem id=”2b95d208-aea6-4422-91f6-81f191dfc05c” condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”> http://thesurroundsound.com/async.php</Content>
</IndicatorItem>
<IndicatorItem id=”c28676bc-7d85-4bb3-aa55-3308f291127a” condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”> demo.ipadinfo.org</Content>
</IndicatorItem>
<IndicatorItem id=”7abd557c-8546-4a77-85d1-072cb74017e2″ condition=”is”>
<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir” />
<Content type=”md5″> 82990e2c0432e579a00ab1f75da0dd65</Content>
</IndicatorItem>
<IndicatorItem id=”a1809ef3-3db7-44d9-be2c-f67a6794a632″ condition=”contains”>
<Context document=”Network” search=”Network/URI” type=”mir” />
<Content type=”string”>opengroup.homeunix.org</Content>
</IndicatorItem>
<IndicatorItem id=”c26cf310-3a28-4027-a066-af74a8eb9d08″ condition=”is”>
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir” />
<Content type=”string”>22199d61c0c76ddb15f1c71505bfebb8b3279872</Content>
</IndicatorItem>
<IndicatorItem id=”99d6f94d-9898-4154-a6d7-963932285488″ condition=”is”>
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir” />
<Content type=”string”>b10cf55ac9279d4d89602435a30b95c148a25d9f</Content>
</IndicatorItem>
<IndicatorItem id=”315bba68-3bbf-45ff-9439-c5665e9f4975″ condition=”is”>
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir” />
<Content type=”string”>1f195339d91880c804c6041ec119cab05cd7c666</Content>
</IndicatorItem>
<IndicatorItem id=”78c8062c-34ef-401c-8938-b6a6f71e9f0b” condition=”contains”>
<Context document=”Network” search=”Network/DNS” type=”mir” />
<Content type=”string”> thesurroundsound.com</Content>
</IndicatorItem>
<IndicatorItem id=”b2f0a686-bde8-4a94-b1e1-a15068ddf813″ condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”> 176.31.22.77</Content>
</IndicatorItem>
<IndicatorItem id=”58d93c19-460a-4dc1-b971-6642ea3e4c60″ condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”> 193.169.244.73</Content>
</IndicatorItem>
<IndicatorItem id=”3634ddb6-1b90-473b-b1ca-af050d9ee73f” condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”> 146.0.43.107</Content>
</IndicatorItem>
<IndicatorItem id=”1474bf4d-2205-4836-b826-ab570d923796″ condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”>179.43.146.203</Content>
</IndicatorItem>
<IndicatorItem id=”d9fe80d2-be3e-4f78-a995-b2093bb2cab4″ condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”> 191.101.22.4</Content>
</IndicatorItem>
<IndicatorItem id=”4e2405d9-9840-4c17-9e05-0eabcb24204e” condition=”contains”>
<Context document=”ArpEntryItem” search=”ArpEntryItem/IPv4Address” type=”mir” />
<Content type=”IP”> 164.132.45.67</Content>
</IndicatorItem>
<Indicator operator=”OR” id=”2a187509-7752-4ad2-a72c-c8857a7a43e7″ />
</Indicator>
</definition>
</ioc>[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
To use this Yara rule to detect APT32, you can install YARA and paste the rule in the black box above.
You can also check out our previous detection rule via Sigma.
Secure Your Organization’s Mind with Securemind.se[/vc_column_text][/vc_column][/vc_row]
