ATK17

Presumed Origin: Vietnam < Back

Alias: APT-32, APT-C-00, APT 32, APT32, Cobalt Kitty, Ocean Buffalo, Ocean Lotus, OceanLotus, OceanLotus Group, POND LOACH, Sea Lotus, SeaLotus, SectorF01, TIN WOODLAWN

ATK17 (aka: APT32, SeaLotus, OceanLotus, APT-C-00) is a Vietnamese group that leverages a nearly continuous espionage campaign against various but well-defined targets, while maintaining a developed arsenal of tools. This group is known for the diversity of the lures that it uses in order to target its victims. ATK17 targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that ATK17 actors are targeting peripheral network security and technology infrastructure corporations. Furthermore, to focused targeting of the private sector with ties to Vietnam, ATK17 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. For instance, in 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.

 

It is an active group, with diverse tools on multiple platforms (Windows and MacOS). This group is dangerous because of its unusual adaptablability even when discovered and has used multiple CVEs in order to reach its goals.

 

References

REFERENCES

Target sector

  • Communication
  • Defense
  • Education
  • Financial Services
  • Government and administration agencies
  • High-Tech
  • International Organizations
  • Legal Services
  • Manufacturing
  • Media
  • Military
  • Naval
  • Research
  • Transportation

Target countries

  • Australia
  • China
  • Germany
  • Philippines
  • United States Of America
  • Viet Nam

Attack pattern

  • T1001 - Data Obfuscation
  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1007 - System Service Discovery
  • T1008 - Fallback Channels
  • T1009 - Binary Padding
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1017 - Application Deployment Software
  • T1018 - Remote System Discovery
  • T1021 - Remote Services
  • T1022 - Data Encrypted
  • T1026 - Multiband Communication
  • T1027 - Obfuscated Files or Information
  • T1031 - Modify Existing Service
  • T1032 - Standard Cryptographic Protocol
  • T1033 - System Owner/User Discovery
  • T1035 - Service Execution
  • T1036 - Masquerading
  • T1038 - DLL Search Order Hijacking
  • T1040 - Network Sniffing
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1049 - System Network Connections Discovery
  • T1050 - New Service
  • T1053 - Scheduled Task
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1065 - Uncommonly Used Port
  • T1066 - Indicator Removal from Tools
  • T1068 - Exploitation for Privilege Escalation
  • T1069 - Permission Groups Discovery
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1073 - DLL Side-Loading
  • T1075 - Pass the Hash
  • T1076 - Remote Desktop Protocol
  • T1077 - Windows Admin Shares
  • T1078 - Valid Accounts
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1085 - Rundll32
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1088 - Bypass User Account Control
  • T1094 - Custom Command and Control Protocol
  • T1096 - NTFS File Attributes
  • T1097 - Pass the Ticket
  • T1099 - Timestomp
  • T1100 - Web Shell
  • T1102 - Web Service
  • T1104 - Multi-Stage Channels
  • T1105 - Remote File Copy
  • T1106 - Execution through API
  • T1107 - File Deletion
  • T1108 - Redundant Access
  • T1110 - Brute Force
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1117 - Regsvr32
  • T1119 - Automated Collection
  • T1122 - Component Object Model Hijacking
  • T1127 - Trusted Developer Utilities
  • T1129 - Execution through Module Load
  • T1132 - Data Encoding
  • T1133 - External Remote Services
  • T1137 - Office Application Startup
  • T1140 - Deobfuscate/Decode Files or Information
  • T1158 - Hidden Files and Directories
  • T1159 - Launch Agent
  • T1170 - Mshta
  • T1175 - Distributed Component Object Model
  • T1185 - Man in the Browser
  • T1189 - Drive-by Compromise
  • T1190 - Exploit Public-Facing Application
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1196 - Control Panel Items
  • T1201 - Password Policy Discovery
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1210 - Exploitation of Remote Services
  • T1216 - Signed Script Proxy Execution
  • T1221 - Template Injection
  • T1222 - File Permissions Modification
  • T1223 - Compiled HTML File
  • T1483 - Domain Generation Algorithms
  • T1493 - Transmitted Data Manipulation
  • T1497 - Virtualization/Sandbox Evasion
  • Thales 002 - OAuth abuse

Motivation

  • Espionage

Malwares

  • Custom ATK17 netcat
  • Denis
  • Goopy
  • Horsum
  • JEShell
  • KOMPROGO
  • METALJACK
  • MacOS Trojan
  • PHOREAL
  • ROLAND
  • Rizzo
  • SOUNDBITE
  • Unnamed Outlook Backdoor
  • WINDSHIELD
  • rastls

Vulnerabilities

  • CVE-2016-7255
  • CVE-2017-0144
  • CVE-2017-11882
  • CVE-2018-20250
  • CVE-2020-0688