Pond Loach delivers BadCake malware
January 17, 2019
During 2018, iDefense observed several events likely attributed to the POND LOACH (aka APT32 and OceanLotus) threat group, an adversary that has likely been active since 2013. This group is allegedly behind an intrusion event into at least one organization operating in the hospitality sector in 2018, according to recent reporting by security researchers at CrowdStrike.1
iDefense has moderate confidence that POND LOACH has been operating in or near Vietnam and is possibly supported by the Vietnamese government. This assessment is based upon open- and closed-source information pertaining to prior targeting of foreign governments, journalists, dissidents and private sector organizations operating across numerous industries with significant business interests in Vietnam, with these entities including countries in Southeast Asia, such as the Philippines, Laos and Cambodia (e.g. Association of Southeast Asian Nations [ASEAN]).
POND LOACH appears to be well funded, as evidenced by its developed variety of custom backdoors to target Windows and Mac operating systems, as previously noted by security researchers at Palo Alto Networks2 and ESET.3 One of these custom backdoors that iDefense has continued to track is known as BadCake. This backdoor is commonly dropped by either an SFX or an exploit document (e.g. Microsoft Corp. Word or PDF file).
Some of this backdoor’s observed capabilities include:
Once dropped, it is usually divided into multiple components in order to be side-loaded, in a fashion similar to other remote access tools including PlugX4 and NetTraveler.5 Several examples of BadCake abusing legitimate, signed executables to carry out DLL side-loading techniques include the following:
iDefense analysts have used the MITRE ATT&CK6 framework to map the observed POND LOACH tactics and techniques shown below:
In recent years, POND LOACH actors have continued to use TTPs such as strategic website compromise (SWC) and spear-phishing attacks to deliver custom website profiling tools and malware backdoors. The likely objective for this group appears to be infiltrating the digital assets of foreign public- and private-sector organizations with significant interests in Vietnam to steal intellectual property and confidential business information that may benefit Vietnamese state entities. iDefense analysts believe that this group will continue to be active into next year and that it will re-tool its arsenal as needed to avoid network defense mechanisms.
If you have any questions about POND LOACH or would like to know more about the verticals this group has previously targeted or more about its custom malware arsenal, please reach out to the Accenture Security Cyber Defense Services team at firstname.lastname@example.org
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks