TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT32 (まとめ)

概要

【要点】

◆ベトナムの標的型攻撃組織

【別名】

攻撃組織名 命名組織
APT32 FireEye
Ocean Lotus CyberReason
Cobalt Kitty
APT-C-00
SeaLotus
Ocean Buffalo


【使用マルウェア】

マルウエア名  備考
SoundBite
KerrDown


【辞書】

◆Group: APT32, OceanLotus Group (ATT&CK)
https://attack.mitre.org/wiki/Group/G0050

◆APT32 (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/apt32

◆APT32 (FireEye)
https://www.fireeye.jp/current-threats/apt-groups.html#apt32

◆APT OceanLotus (APT-C-00) (SkyEye)
https://github.com/kbandla/APTnotes/blob/master/2015/OceanLotusReport.pdf

【ニュース】

◆中国政府の海事機関を狙う国際的ハッカー組織「OcianLotus」が明るみに (Internet Watch, 2015/06/19 06:00)
http://internet.watch.impress.co.jp/docs/column/m_china/20150619_707728.html
http://malware-log.hatenablog.com/entry/2015/06/19/000000_1

◆Vietnam's APT32 Marks a New Chapter in Cyber-espionage (infosecurity, 2017/05/15)
https://www.infosecurity-magazine.com/news/vietnams-apt32-marks-a-new-chapter/
http://malware-log.hatenablog.com/entry/2017/05/15/000000_17

◆ランサムウェアが企業にもたらした意外な影響 (ZDNet, 2017/05/18 07:00)
https://japan.zdnet.com/article/35101310/
http://malware-log.hatenablog.com/entry/2017/05/18/000000_13
<>>
◆Ocean Lotus Group/APT 32 identified as Vietnamese APT group (SCMedia, 2017/05/23)
https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/
http://malware-log.hatenablog.com/entry/2017/05/23/000000_9

◆AN UP-CLOSE VIEW OF THE NOTORIOUS APT32 HACKING GROUP IN ACTION (WIRED, 2017/05/24)
https://www.wired.com/2017/05/close-look-notorious-apt32-hacking-group-action/
http://malware-log.hatenablog.com/entry/2017/05/24/000000_6

◆WindowsだけでなくMacも標的にしたトロイの木馬型マルウェア「OceanLotus」が流行中。主に中国政府機関が感染? (AAPL Ch., 2017/06/25)
https://applech2.com/archives/44993666.html
http://malware-log.hatenablog.com/entry/2017/06/25/000000

◆ベトナム政府が背後にいる!? ハッカー集団「APT32」の暗躍 (THE ZERO/ONE, 2018/01/15 08:10)
https://the01.jp/p0006390/
http://malware-log.hatenablog.com/entry/2018/01/15/000000_1

◆OceanLotus ATP group uses new Kerrdown downloader to deliver payloads (SCmagazine, 2019/02/01)
https://www.scmagazine.com/home/security-news/oceanlotus-atp-group-uses-new-kerrdown-downloader-to-deliver-payloads/
https://malware-log.hatenablog.com/entry/2019/02/01/000000_9

◆Word-based Malware Attack (CyStack, 2019/02/02)
https://blog.cystack.net/word-based-malware-attack/
https://malware-log.hatenablog.com/entry/2019/02/02/000000

◆トヨタの販売子会社に不正アクセス 最大310万件の顧客情報が流出の恐れ (ITmedia, 2019/03/29 18:40)
https://www.itmedia.co.jp/news/articles/1903/29/news133.html
https://malware-log.hatenablog.com/entry/2019/03/29/000000_3

◆トヨタ、顧客情報310万件流出か 東京の販売会社に不正アクセス (産経新聞, 2019/03/29 20:52)
https://www.sankei.com/affairs/news/190329/afr1903290017-n1.html
https://malware-log.hatenablog.com/entry/2019/03/29/000000_3

◆Toyota announces second security breach in the last five weeks (ZDNet, 2019/03/29 12:37)

Toyota Japan says hackers might have stolen details of 3.1 million Toyota and Lexus car owners.

https://www.zdnet.com/article/toyota-announces-second-security-breach-in-the-last-five-weeks/
https://malware-log.hatenablog.com/entry/2019/03/29/000000_19

◆Toyota data breach affects up to 3.1 million customers (CyberScoop, 2019/03/30)
https://www.cyberscoop.com/toyota-data-breach-japan-vietnam/
https://malware-log.hatenablog.com/entry/2019/03/29/000000_20

◆OceanLotus APT Uses Steganography to Load Backdoors (BleepingComputer, 2019/04/02 13:55)
https://www.bleepingcomputer.com/news/security/oceanlotus-apt-uses-steganography-to-load-backdoors/
https://malware-log.hatenablog.com/entry/2019/04/02/000000_9

◆マクニカネットワークス、自動車業界を狙った標的型攻撃OceanLotus(APT32)の攻撃手法を公開 (Enterprise Zine, 2019/04/25 15:00)
https://enterprisezine.jp/article/detail/11988
http://malware-log.hatenablog.com/entry/2019/04/25/000000_2

◆代表アドレスへ履歴書送付、APTグループ「OceanLotus」が日系自動車企業東南アジア拠点攻撃の可能性(マクニカネットワークス) (NetSecurity, 2019/04/26 08:00)

マクニカネットワークスは、ホワイトペーパー「OceanLotus 東南アジア自動車業界への攻撃」を公開した

https://scan.netsecurity.ne.jp/article/2019/04/26/42274.html
https://malware-log.hatenablog.com/entry/2019/04/26/000000_11


【ブログ】

◆天眼实验室:OceanLotus(海莲花)APT报告摘要 (奇虎360, 2015/05/29)
http://blogs.360.cn/blog/oceanlotus-apt/
http://malware-log.hatenablog.com/entry/2015/06/19/000000_1

◆Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations (FireEye, 2017/05/14)
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
http://malware-log.hatenablog.com/entry/2017/05/14/000000_8

◆OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP (CyberReason, 2017/05/24)
https://www.cybereason.com/blog/operation-cobalt-kitty-apt
http://malware-log.hatenablog.com/entry/2017/05/24/000000_8

◆Tracking OceanLotus’ new Downloader, KerrDown (Unit42, 2019/02/01 06:00)
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
https://malware-log.hatenablog.com/entry/2019/02/01/000000_8

◆OceanLotusの新しいダウンローダーKerrDownの追跡 (Paloalto, 2019/02/06 01:00)
https://www.paloaltonetworks.jp/company/in-the-news/2019/tracking-oceanlotus-new-downloader-kerrdown
http://malware-log.hatenablog.com/entry/2019/02/06/000000_7


【公開情報】

◆OPERATION LOTUSBLOSSOM (UNIT42)
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/operation-lotus-blossom/unit42-operation-lotus-blossom.pdf
http://malware-log.hatenablog.com/entry/2017/10/08/000000

◆APT攻撃者グループ menuPass(APT10) による新たな攻撃を確認 (LAC, 2018/05/21)
https://www.lac.co.jp/lacwatch/people/20180521_001638.html
http://malware-log.hatenablog.com/entry/2018/05/21/000000_4

◆Operation OceanLotus KerrDown (McAfee, 2019/02/20)
https://www.mcafee.com/enterprise/ja-jp/threat-center/threat-landscape-dashboard/campaigns-details.operation-oceanlotus-kerrdown.html
https://malware-log.hatenablog.com/entry/2019/02/20/000000_10

◆弊社東京地区販売店における顧客情報流出の可能性に関するお知らせ (TOYOTA, 2019/03/29)
https://global.toyota/jp/newsroom/corporate/27465617.html
https://malware-log.hatenablog.com/entry/2019/03/29/000000_3


【資料】

◆OceanLotus 東南アジア自動車業界への攻撃 (Macnica, 2019/04/25)
https://www.macnica.net/file/mpression_automobile.pdf
http://malware-log.hatenablog.com/entry/2019/04/25/180402


【図表】

f:id:tanigawa:20190427122848p:plain
出典: https://www.bleepingcomputer.com/news/security/oceanlotus-apt-uses-steganography-to-load-backdoors/



【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT

◆KerrDown (まとめ)
http://malware-log.hatenablog.com/entry/KerrDown


【インディケータ情報】

■ハッシュ情報(MD5)

7e68371ba3a988ff88e0fb54e2507f0d
0529b1d393f405bc2b2b33709dd57153
9fea62c042a8eda1d3f5ae54bad1e959
486bb089b22998ec2560afa59008eafa
b778d0de33b66ffdaaf76ba01e7c5b7b
53e5718adf6f5feb2e3bb3396a229ba8
d39edc7922054a0f14a5b000a28e3329
41bced8c65c5822d43cadad7d1dc49fd


■ハッシュ情報(Sha256) - KerrDown -

89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3


■ハッシュ情報(Sha256)

824a5d74bf78481fe935670bf1ea3797ebc210181e6ffe0ee5854d61cf59b2a1
847d0fa2e12a1d0f1a68abad269b5e0aebc2bd904bb695067af08703982ae929
8526f10b50ec4deb70e7da7a4e693ed04e6a8e332f891c8a84e3783aaad13ad9
53efaac9244c24fab58216a907783748d48cb32dbdc2f1f6fb672bd49f12be4c
358df9aba78cf53e38c2a03c213c31ba8735e3936f9ac2c4a05cfb92ec1b2396


■URL

background.ristians[.]com:8888
enum.arkoorr[.]com:8531
worker.baraeme[.]com:8888
enum.arkoorr[.]com:8888
worker.baraeme[.]com:8531
plan.evillese[.]com:8531
background.ristians[.]com:8531
plan.evillese[.]com:8888
hxxps://outlook.updateoffices[.]net/vean32.png


■FQDN

pad.werzo.net
shop.ownpro.net
ssl.sfashi.com
kiifd.pozon7.net
cdn.libjs.co
sin04s01.listpaz.com
high.expbas.net
img.fanspeed.net
active.soariz.com
zone.mizove.com
dc.jaomao69.info
cdn.jaomao69.info
download.mail-attach.net
cnf.flashads.org
cn.flashads.org
cv.flashads.org
cp.flashads.org
fpdownload.shockwave.flashads.org
authen.mail.hairunaw.com.l.main.userapp.org
jsquery.net
gs.kroger7.net
autoupdate.adobe.com

■FQDN

microsoftclick[.]com
namshionline[.]com


■IPアドレス

62.113.238.135
64.62.174.176
91.229.77.179
128.127.106.243
146.0.43.107
167.114.184.117
173.208.157.117
176.31.22.77
185.29.8.39
192.187.120.45
193.169.244.73


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019