Use Case: Vietnam-linked BISMUTH APT leveraging coin miners

Objectives:
Map an attack technique with the cyber kill chain steps based on report (Threat bulletin)

The analyzed report: Threat actor leverages coin miner techniques to stay under the radar – by
Microsoft 365 Defender Threat Intelligence Team

Link to the report : https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-

coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/

The report explains a recent activity by the threat actor “Bismuth” spotted by Microsoft Threat Intel
team.

Threat Actor profile:

Aliases: Bismuth group

Bismuth is often associated with APT32 a.k.a OceanLotus, APT-C-00, SeaLotus, Cobalt Kitty, Ocean
Buffalo, POND LOACH or TIN WOODLAWN

Origins: Vietnam

Targets:

• In addition to focused targeting of the private sector with ties to Vietnam, the group has also
targeted foreign governments, as well as Vietnamese dissidents and journalists since at least
2013. (Source: Fireeye)

Motivations: Cyber Espionage

First seen: 2013

Interesting reports and articles:

• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
• https://www.cybereason.com/blog/operation-cobalt-kitty-apt
• https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-
and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
• https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
• https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-
oceanlotus-found.html
• https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-
government-in-covid-19-related-espionage.html
• https://www.recordedfuture.com/apt32-malware-campaign/
Based on Microsoft report, we can extract the following cyber kill chains:

Cyber Kill Chain dedicated to the initial foothold:

Reconnaissance - Identify specific recipients per target organization

- In some instances, the group even corresponded with the
targets, building trust bonds

Weaponization - heavy use of DLL side-loading (replacing legitimate DLLs with

malicious ones, then the malicious DLLs will be loaded when
the associated application is run) to weaponize legit
applications like Microsoft Defender Antivirus, Sysinternals
DebugView tool, the McAfee on-demand scanner, and
Microsoft Word 2007.

Delivery - Spear-phishing from a Gmail account with tailored subject

lines and lure themes that appear to have been made
specifically for this campaign.

Exploitation - Targets are convinced to open the malicious document

attachment and inadvertently launch the payload.

Installation - The malicious .doc file drops several files in the hidden
ProgramData folder: (1) MpSvc.dll, a malicious DLL with the
same name as a legitimate Microsoft Defender Antivirus DLL,
and (2) a copy of MsMpEng.exe the legitimate Microsoft
Defender Antivirus executable.
- Persistence: the malicious document adds a scheduled task
that launched the MsMpEng.exe copy and sideloaded the
malicious MpSvc.dll.
Command and - The malicious DLL establishes a persistent command-and-
Control control (C2) channel to the compromised device and
consequently the network.

Actions on objectives - Using the newly established channel, the group dropped
several files for the next stages of the attack
Cyber Kill Chain associated with the threat actors’ activities once they set a foothold in the
network:

Reconnaissance - The group scans an IP address range within the organization

using NbtScan.exe
- Following the network scan, the Word 2007 process launches
a malicious script using rundll32.exe, resulting in a scan on
common ports, including 21, 22, 389, 139, and 1433.
- The group gathers information about domain and local
administrators, checks whether users had local administrative
privileges, and collects device information
Weaponization

Delivery - The threat actors drop their tools onto different devices using
SMB remote file copy

Exploitation

Installation - The group moves laterally to a server and copies over a

malicious DLL that masqueraded as the system file mpr.dll
and a copy of the Sysinternals DebugView tool.

Command and - The group uses MsMpEng.exe with the malicious sideloaded
Control DLL to connect to another device that appears to have been
designated by BISMUTH at some point during the attack as an
internal C2 foothold and exfiltration staging device.
- The actors register and launch malicious services multiple
times, launching DebugView tool to connect to multiple
Yahoo websites and confirm Internet connectivity, followed
by a connection to their C2 infrastructure.
- The threat actors delete PowerShell event logs to erase
records generated by Script Block Logging.
Actions on objectives - The threat actors dump credentials from the Security Account
Manager (SAM) database using the Empire PowerDump
command
Cyber kill chain associated with the threat actor’s activity after one month of the initial access:

Reconnaissance - continual discovery using a PowerShell script that gathers

user and group information
- the group uses the system tool Nltest.exe to gather domain
trust info and pings multiple servers they have identified by
name during reconnaissance (previous cyber kill chain): they
pursue only servers that could contain high-value information
for espionage
Weaponization

Delivery - the threat actors start connecting to dozens of devices using

WMI

Exploitation

Installation - They install a Cobalt Strike beacon

- The group drops a .rar file and extracts its contents—
McOds.exe, which is a copy of the McAfee on-demand
scanner, and a malicious DLL—into the SysWOW64 folder.
- The group creates a scheduled task that launches the copy of
the McAfee on-demand scanner with SYSTEM privileges and
sideloaded the malicious DLL.

Command and - They establish a connection to the Cobalt Strike server

Control infrastructure (through the persistence mentioned in the
installation phase)
- They delete the dropped McAfee binary

Actions on objectives - BISMUTH deploy coin miners (Monero miners)

Cyber Kill chain associated with the credentials theft activity

Reconnaissance

Weaponization

Delivery

Exploitation

Installation - The threat actors register multiple malicious services that

used %comspec% to run the renamed DebugView tool while
loading a malicious DLL.
- The group usees DebugView and the malicious DLL in a fairly
unexpected fashion to launch Base64-encoded Mimikatz
commands using one of several Windows processes:
makecab.exe, systray.exe, w32tm.exe, bootcfg.exe,
diskperf.exe, esentutl.exe, and typeperf.exe.
Command and - The co-opted DebugView tool connects to multiple attacker-
Control controlled domains

Actions on objectives - Exfiltrate stolen credentials

Key takeways:

• The cyber kill chain follows the typical narrative of an attack

• Simply because the adversary moved to the Actions on Target doesn’t always mean that their
mission is accomplished. Adversaries can have first objective as a decoy to prepare for their
final goal.
• Not in all investigation cases, we can obtain all the steps of the kill chain (example Cyber Kill
Chain Num 4)
• When the intrusion is composed of multiple stages, we can divide the kill chains (in real cases
of investigations the relationship between the 4 cyber kills chains is established as a result of
 analysis of each scenario separately, then the common key indicators of compromise would
be useful to deduce the links between them

Possible courses of actions applied on the first cyber kill chain:

Discover Detect Deny Disrupt Degrade Deceive Destroy

Recon False email

addresses

Weap

Delivery User Email Mail Stripping Re-route

training filters to quarantine attachments emails
block
phishing
emails

Exploit HIDS EDR

Install HIDS EDR Anti-

malware
Privilege
restriction Sandbox
(an isolated
environment
where you can
execute
untrusted
software)

C2 HIDS Firewall NIPS

ACL

AoO Honeypot

P.S: The suggested list of possible actions is not exhaustive.