ESET: Vietnamese hacking group hijacks Southeast Asian sites in watering hole campaign

The cybersecurity company says many of the websites are still serving malicious scripts after having been notified.

A prominent Vietnam-linked hacking group is exploiting a number of Southeast Asian organizations’ websites to deliver malware that extracts detailed information about victims’ systems, researchers say.

According to a report released Tuesday by Slovakian cybersecurity company ESET, the threat group APT32, also known as OceanLotus Group, has been conducting watering hole attacks using at least 21 vulnerable websites belonging to government, media and other organizations as far back as September.

APT32 is believed to be based in Vietnam and possibly linked to its government. Past research has shown APT32 to be a highly capable threat group that targets a wide variety of public and private organizations with customized tools for each target. Similarly, this campaign shows APT32 using a unique domain and server for each website it’s using as a watering hole, and the group only sends additional payloads to specific victims, according to ESET.

ESET said it notified 21 website owners of the threat “although some seem very resistant to being informed or helped.” Compromised websites include those of the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia, several Cambodian and Vietnamese news outlets, a Cambodian golf club and others.


“We notified all of them in October but most are still serving malicious script injections at the time of writing, two months after the first compromise,” ESET said.

ESET researchers wrote that the techniques APT32 uses in this now uncovered campaign “show a level of sophistication never before seen for OceanLotus.” The group employs a number of sophisticated methods to obfuscate its activity and evade detection as it installs malware capable of delivering additional payloads onto victims’ systems.

On targeted websites, APT32 hackers inject their own JavaScript code onto the index page, or a JavaScript file accessible to them on the website’s server, ESET explains. This gives the group the ability to redirect website visitors to its own domains then serve them malicious code .

The second payload analyzed by ESET is a reconnaissance script, which researchers said sends back detailed information about the target’s system, including the browser, browser plugins, language preferences, IP addresses and time zone. The researchers say this script resembles one observed in a past APT32 campaign.

“The different sections are similar and they include identical typos. Thanks to these similarities and the location of the targets, we are highly confident that OceanLotus runs this campaign,” ESET says.


Because the campaign uses advanced encryption methods for much of the data transferred between victims and APT32’s command and control servers, ESET said it can’t detect in-the-wild instances of the second payload being sent.


Latest Podcasts