APT32, also known as Ocean Lotus, is a Vietnamese-linked Advanced Persistent Threat (APT) group whose campaigns target users and companies in South East Asia frequently. The primary groups that the hackers go after are political organizations, journalists, dissidents and private companies in various industries. Some of their more notable attacks were carried out against high-profile targets in Cambodia, Laos and the Philippines. The group relies on a broad range of hacking tools that are used for data exfiltration, surveillance, and espionage – one of the most functional pieces of software in their arsenal appears to be BadCake, a custom backdoor Trojan that is being delivered to its intended targets via spear-phishing or watering hole attacks.
Once installed, BadCake will provide its operators with the ability to collect general hardware and software information about the infected system. In addition to this, the backdoor is capable of allowing the execution of arbitrary commands – these could be used to alter the system's configuration and weaken security measures. Last but not least, the BadCake backdoor can manipulate the file system, and download more files onto the compromised system, therefore making it possible to plant secondary payloads.
Since the BadCake Trojan is meant to stay on the infected system for long, it will take the required steps to gain persistence – either by creating a bogus Windows Service or setting up a new Scheduled Task. The threat uses DGA (Domain Generation Algorithm) to create new subdomains that are used with hardcoded Command and Control servers.
BadCake's activities seem often to be accompanied by public tools such as Mimikatz (used for credential collection) or Cobalt Strike, a post-exploitation framework meant to be used by penetration testers. APT32 have been active in the cybercrime field since 2013, and they have upgraded their infrastructure and toolkit continuously by introducing new projects or adding more features to previous malware samples. While their privately-developed tools may use a wide range of obfuscation techniques to evade anti-virus tools, users of reputable anti-malware products can rest assured that their systems are protected from threats like the BadCake backdoor Trojan.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to BadCake may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.