Pulse Report: New APT32 Malware Campaign Targets Cambodian Government
Common Information
| Type | Value |
|---|---|
| UUID | 3da38eca-c2c6-468f-ac4e-12ecc0d063ec |
| Fingerprint | ea658b67fcea37ec5763e4868757c43bcacbe38ee7aded3293bf755074b45f4f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Nov. 9, 2020, 12:24 p.m. |
| Added to db | March 10, 2024, 1 a.m. |
| Last updated | Aug. 30, 2024, 10:28 p.m. |
| Headline | Pulse Report: New APT32 Malware Campaign Targets Cambodian Government |
| Title | Pulse Report: New APT32 Malware Campaign Targets Cambodian Government |
| Detected Hints/Tags/Attributes | 50/2/17 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 2 | cloud.bussinesappinstant.com |
|
| Details | Domain | 1 | bussinesappinstant.com |
|
| Details | Domain | 1 | insappstaticanalyze.com |
|
| Details | File | 2 | cambodia.docx |
|
| Details | File | 8 | softwareupdate.exe |
|
| Details | File | 2 | softwareupdatefiles.dll |
|
| Details | File | 3 | softwareupdatefileslocalized.dll |
|
| Details | File | 2 | 9_programme_somca-japan_final.docx |
|
| Details | File | 1 | rich_signature.key |
|
| Details | md5 | 1 | 3937374c70baa93e1fd75d8e894faf94 |
|
| Details | sha256 | 1 | d873bdb08c45378650761bad71df7418c7b542adb13ccd4a87df2001801f4808 |
|
| Details | sha256 | 1 | 75c61d9d8da4a87882ccdd37b664953c10a186b5545c5152fd1b6bf788a1a846 |
|
| Details | IPv4 | 2 | 43.254.132.212 |
|
| Details | IPv4 | 1 | 43.254.132.117 |
|
| Details | Threat Actor Identifier - APT | 132 | APT32 |
|
| Details | Yara rule | 1 | import "pe"
rule APT_VN_APT32_DLLSideloading_Oct2020 {
meta:
description = "Track DLL Sideloading Technique Used by APT32/OceanLotus in October 2020"
author = "Insikt Group, Recorded Future"
hash1 = "d873bdb08c45378650761bad71df7418c7b542adb13ccd4a87df2001801f4808"
hash2 = "75c61d9d8da4a87882ccdd37b664953c10a186b5545c5152fd1b6bf788a1a846"
date = "2020-10-22"
strings:
$s1 = "SoftwareUpdateFilesLocalized.dll"
$s2 = "SoftwareUpdateFiles.locale" wide
$s3 = "This indicates a bug in your application."
condition:
uint16(0) == 0x5a4d and filesize < 60KB and ((all of them and pe.timestamp == 4294967295000) or pe.imphash() == "3937374c70baa93e1fd75d8e894faf94" or pe.rich_signature.key == 0x6597ead6)
} |