SOC Prime Bias: Crítico

22 Jun 2026 19:48 UTC
newspaper icon picussecurity.com

OceanLotus (APT32) Explicado: Tácticas, Malware y TTPs

Author Photo
SOC Prime Team linkedin icon Seguir
OceanLotus (APT32) Explicado: Tácticas, Malware y TTPs
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Resumen

OceanLotus, también conocido como APT32, es un grupo de ciberespionaje altamente capacitado alineado con los intereses estatales de Vietnam y en actividad desde al menos 2014. El grupo apunta a organizaciones gubernamentales, de medios y del sector privado en todo el Sudeste Asiático utilizando conjuntos de herramientas de malware personalizadas y tácticas operativas avanzadas. Sus métodos de intrusión incluyen spearphishing, compromiso de la cadena de suministro y carga lateral de DLL para mantener el acceso a largo plazo a los entornos de las víctimas.

Investigación

El informe describe operaciones que van desde el espionaje industrial contra empresas automotrices hasta la actividad más reciente de la cadena de suministro que involucra la plataforma FireAnt MetaKit. También examina familias de malware como SPECTRALVIPER y ZiChatBot, incluyendo cómo se entregan y utilizan tanto en sistemas Windows como macOS.

Mitigación

Las organizaciones deben hacer cumplir las comprobaciones de integridad para las actualizaciones de software para reducir la exposición a ataques de la cadena de suministro y desplegar una detección fuerte en el endpoint para descubrir actividades de carga lateral de DLL. También es esencial monitorizar las tareas programadas no autorizadas, trabajos cron y cambios sospechosos en el registro. Un filtro estricto de correo electrónico y la capacitación en concienciación del usuario pueden reducir aún más el riesgo de compromiso inicial a través de spearphishing.

Respuesta

Si se detecta actividad de OceanLotus, aísle inmediatamente los sistemas afectados para limitar el movimiento lateral y el robo de datos. Realice un análisis forense profundo de los procesos sospechosos como OneDrive.Sync.Service.exe y agentes de lanzamiento inesperados en macOS. Las credenciales comprometidas deben ser revocadas, y las plataformas de almacenamiento en la nube como Dropbox y Google Drive deben ser revisadas para detectar signos de puesta en escena o exfiltración no autorizada.

"graph TB %% Class Definitions Section classDef recon fill:#e1f5fe %% Light Blue classDef resource fill:#fff9c4 %% Light Yellow classDef access fill:#ffccbc %% Light Orange classDef execution fill:#d1c4e9 %% Light Purple classDef persistence fill:#c8e6c9 %% Light Green classDef escalation fill:#f8bbd0 %% Light Pink classDef stealth fill:#cfd8dc %% Light Grey classDef discovery fill:#b2dfdb %% Teal classDef command_control fill:#ffecb3 %% Amber classDef exfiltration fill:#d7ccc8 %% Brown %% Reconnaissance Section recon_track["<b>Action</b> – <b>T1598: Phishing for Information</b><br/>Gathering victim identity and email addresses via tracking links."] class recon_track recon recon_profile["<b>Action</b> – <b>T1592: Gather Victim Host Information</b><br/>Browser and OS profiling using web-profiling frameworks on fake news sites."] class recon_profile recon %% Resource Development Section res_dev_infra["<b>Action</b> – <b>T1583: Acquire Infrastructure</b><br/>Registering look-alike domains and abusing web services like Dropbox, Amazon S3, and Google Drive."] class res_dev_infra resource res_dev_malware["<b>Malware Suite</b><br/>Custom malware suite including WINDSHIELD, KOMPROGO, SOUNDBITE, PHOREAL, and SPECTRALVIPER."] class res_dev_malware resource %% Initial Access Section acc_supply["<b>Action</b> – <b>T1195: Supply Chain Compromise</b><br/>Malicious PyPI wheel packages and compromising FireAnt MetaKit update servers."] class acc_supply access acc_spear["<b>Action</b> – <b>T1566.001: Spearphishing Attachment</b><br/>Weaponized Office documents sent via email."] class acc_spear access acc_driveby["<b>Action</b> – <b>T1189: Drive-by Compromise</b><br/>Use of fake news sites to deliver payloads."] class acc_driveby access %% Execution Section exec_macro["<b>Action</b> – <b>T1059.005: Command and Scripting Interpreter: Visual Basic</b><br/>VBA macros in Office documents."] class exec_macro execution exec_python["<b>Action</b> – <b>T1059.006: Command and Scripting Interpreter: Python</b><br/>Execution via malicious PyPI wheel packages."] class exec_python execution exec_perl["<b>Action</b> – <b>T1059: Command and Scripting Interpreter</b><br/>Perl scripts utilized on macOS."] class exec_perl execution %% Persistence Section pers_task["<b>Action</b> – <b>T1053: Scheduled Task/Job</b><br/>Cron jobs on Linux and Windows Scheduled Tasks."] class pers_task persistence pers_macos["<b>Action</b> – <b>T1543: Create or Modify System Process</b><br/>Modifying macOS LaunchAgents and LaunchDaemons."] class pers_macos persistence pers_registry["<b>Action</b> – <b>T1547.001: Registry Run Keys / Startup Folder</b><br/>Utilizing registry run keys for persistence."] class pers_registry persistence pers_sideloader["<b>Action</b> – <b>T1574.002: Hijack Execution Flow: DLL Side-Loading</b><br/>Hijacking execution flow to maintain presence."] class pers_sideloader persistence %% Privilege Escalation Section esc_token["<b>Action</b> – <b>T1134: Access Token Manipulation</b><br/>Token impersonation and theft to elevate privileges."] class esc_token escalation %% Stealth Section stealth_obf["<b>Action</b> – <b>T1027: Obfuscated Files or Information</b><br/>Heavy obfuscation of files and information."] class stealth_obf stealth stealth_masq["<b>Action</b> – <b>T1036: Masquerading</b><br/>Matching filenames and locations to appear as legitimate resources."] class stealth_masq stealth stealth_inject["<b>Action</b> – <b>T1055: Process Injection</b><br/>Hiding within trusted processes like OneDrive."] class stealth_inject stealth stealth_remov["<b>Action</b> – <b>T1070: Indicator Removal On Host</b><br/>File deletion and timestomping."] class stealth_remov stealth %% Discovery Section disc_sysinfo["<b>Action</b> – <b>T1082: System Information Discovery</b><br/>Collecting hardware details including serial numbers and UUIDs and OS versions."] class disc_sysinfo discovery %% Command and Control Section c2_web["<b>Action</b> – <b>T1071.001: Application Layer Protocol: Web Protocols</b><br/>Resilient C2 channels using HTTPS."] class c2_web command_control c2_nonapp["<b>Action</b> – <b>T1095: Non-Application Layer Protocol</b><br/>Communication via TCP and ICMP."] class c2_nonapp command_control c2_web_svc["<b>Action</b> – <b>T1102: Web Service</b><br/>Bidirectional communication via Zulip and other web services."] class c2_web_svc command_control %% Exfiltration Section exfil_data["<b>Action</b> – <b>T1041: Exfiltration Over C2 Channel</b><br/>Collected data is exfiltrated over established C2 channels."] class exfil_data exfiltration %% Connections Section %% Recon leads to Resource Development recon_track –>|leads_to| res_dev_infra recon_profile –>|leads_to| res_dev_infra %% Resource Development leads to Initial Access res_dev_infra –>|supports| acc_supply res_dev_infra –>|supports| acc_spear res_dev_infra –>|supports| acc_driveby res_dev_malware –>|used_in| acc_supply res_dev_malware –>|used_in| acc_spear %% Initial Access leads to Execution acc_supply –>|triggers| exec_python acc_spear –>|triggers| exec_macro acc_driveby –>|triggers| exec_perl %% Execution leads to Persistence exec_macro –>|enables| pers_task exec_python –>|enables| pers_registry exec_perl –>|enables| pers_macos exec_macro –>|enables| pers_sideloader %% Persistence leads to Privilege Escalation pers_task –>|allows| esc_token pers_registry –>|allows| esc_token %% Privilege Escalation leads to Stealth and Discovery esc_token –>|facilitates| stealth_inject esc_token –>|facilitates| stealth_obf %% Stealth and Discovery lead to C2 stealth_inject –>|hides| c2_web stealth_obf –>|hides| c2_nonapp disc_sysinfo –>|identifies_targets_for| c2_web_svc %% C2 leads to Exfiltration c2_web –>|transports| exfil_data c2_nonapp –>|transports| exfil_data c2_web_svc –>|transports| exfil_data "

Flujo de Ataque

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has gained initial access to the workstation. To avoid detection by the existing EDR, they attempt to use the Invoke-Obfuscation framework to mask their subsequent discovery commands. They download the framework (simulated here by direct command invocation) and attempt to run a command that triggers the specific detection rule by including the string Invoke-Obfuscation in the process command line.

  • Regression Test Script:

    # This script simulates the invocation of the Invoke-Obfuscation tool 
# to trigger the 'CommandLine|contains: Invoke-Obfuscation' detection rule.

Write-Host "[+] Starting Simulation: Triggering OceanLotus Detection Rule"

# Simulating the execution of a command that contains the target string
# In a real scenario, this would be the actual module being called.
Start-Process powershell.exe -ArgumentList "-Command `"Invoke-Obfuscation -Command {Get-Process}`""

Write-Host "[+] Simulation command sent. Check SIEM for 'Detection of OceanLotus PowerShell Script Obfuscation'."

  • Cleanup Commands:

    # No persistent changes were made by the simulation script.
# To clean up any temporary files if they were created:
Remove-Item -Path "$env:TEMP*" -ErrorAction SilentlyContinue
Write-Host "[+] Cleanup complete."

Únete a la plataforma Detection as Code de SOC Prime para mejorar la visibilidad de las amenazas más relevantes para tu negocio. Para ayudarte a comenzar y obtener valor inmediato, programa una reunión ahora con los expertos de SOC Prime.

Únete gratis