Vietnamese state-backed hackers have been observed deploying cryptocurrency mining malware to monetize the networks of victim organizations they’re also spying on, according to Microsoft.
APT32, (aka Ocean Lotus, BISMUTH), has in the past been associated with sophisticated cyber-espionage campaigns aimed at targets as diverse as carmakers and local Chinese government departments.
However, from July to August 2020, the group deployed Monero coin miners in attacks targeting private and public sector organizations in France and Vietnam. Doing so may be part of a plan to generate extra revenue alongside such attacks, or an attempt to stay hidden, Microsoft claimed.
“The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” it said in a blog post.
“If we learned anything from ‘commodity’ banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively.”
Other tactics designed to “blend in” include the targeting of only one individual in an organization with spear-phishing; in some cases, the attackers even corresponded with their victims to encourage them to open the malicious attachment.
Another is the use of DLL side-loading via outdated applications including Microsoft Defender Antivirus.
“Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions,” noted Microsoft.
“At this point in the attack, the group relied heavily on evasive PowerShell scripts, making their activities even more covert.”
Organizations faced with this threat group should focus on reducing the attack surface via user education, disabling Macros, tweaking email filters and other techniques, improving credential hygiene through MFA and stopping attack sprawl with intrusion detection, firewalls and other tools.