FireEye: Vietnam’s APT32, aka Ocean Lotus, tried to collect intelligence on the Chinese anti COVID-19 response with a spear phishing campaign
Vietnam’s APT32 (aka Ocean Lotus) group is targeting Wuhan government and Chinese ministry of Emergency Management to steal information about the coronavirus crisis. It has been discovered by FireEye cyber security experts. From at least January to April 2020, the state-sponsored hackers carried out intrusion campaigns to collect intelligence on the COVID-19 emergency and response. Threat actor sent spear phishing emails with METALJACK malware to gain access of the victim’s computer. The lures are related to the pandemic update and decoy documents hide the malicious code. Moreover a shellcode performs a system survey to collect the victim’s computer name and username. Then it appends those values to a URL string, that attempts to call out. If the operation is successful, it loads the payload into memory.