A Vietnam-linked threat actor have been observed deploying cryptocurrency malware alongside its cyber-espionage tools to blend in and monetize compromised networks, Microsoft revealed.
The hacker group, tracked by Microsoft as Bismuth and more commonly known as OceanLotus or APT32, has been active since at least 2012 targeting large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations with complex cyber attacks. But over the summer Bismuth has changed its tactics and started deploying cryptominers in compromised networks.
“The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re “commodity” malware. If we learned anything from “commodity” banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively,” Microsoft said.
In recent attacks the threat actor gained initial access to the victim’s network using tailored spear phishing emails sent from a Gmail account that appears to have been made specifically for this campaign. It appears the hackers conducted reconnaissance using publicly available sources and chose individual targets based on their job function.
The spear phishing email contained a malicious MS Word document, which, when opened, dropped MpSvc.dll (a malicious DLL masquerading as a legitimate Microsoft Defender Antivirus DLL) and a copy of MsMpEng.exe (the legitimate Microsoft Defender Antivirus executable) in the hidden ProgramData folder.
“The malicious document then added a scheduled task that launched the MsMpEng.exe copy and sideloaded the malicious MpSvc.dll. Because the latest versions of Microsoft Defender Antivirus are no longer susceptible to DLL sideloading, BISMUTH used an older copy to load the malicious DLL and establish a persistent command-and-control (C2) channel to the compromised device and consequently the network,” Microsoft explained.
Upon establishing the C2 channel, several files were dropped for the next stages of the attack, including a .7z archive, a copy of Word 2007, and another DLL, wwlib.dll.
To deploy cryptomining malware the group first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. The 7-Zip tool was then used to extract a Monero coin miner from the ZIP file. The hackers then registered the miner as a service named after a common Virtual Machine process. Each coin miner they deployed had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.
“Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency,” Microsoft said. “ Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks.”