State-backed threat group using crypto mining malware to evade detection and monetise compromised networks

There's a growing trend for state-backed APT groups to carry out financially-motivated crimes, alongside their usual espionage operations

Vietnam-based hackers have been using cryptocurrency-mining malware alongside their usual cyber-espionage toolkits to establish persistence on victim systems and evade detection for as long as possible.

That's according to the researchers from the Microsoft 365 Defender Threat Intelligence Team, who claim in a new report that the Vietnamese government-backed threat group BISMUTH is behind these cyber-campaigns that have targeted both government institutions and private firms in France and Vietnam between July and August this year.

BISMUTH has been active since 2012 and is also referred to as OceanLotus and APT32 in the cyber security community. In the past eight years, the group has targeted a large number of multinational corporations, financial firms, educational institutions, governments departments and civil rights organisations in Vietnam and abroad.

The main purpose of these attacks has been to collect confidential information. To achieve its goals, the group uses both open-source and custom-made tools.

While BISMUTH's espionage and exfiltration techniques have changed little over the years, the use of coin miners in more recent campaigns indicates that the group is trying to explore new ways to monetise compromised networks.

Cyber security experts see this as a growing trend in the industry, where state-backed APT groups are carrying out financially-motivated crimes alongside their usual espionage operations, in order to generate revenues from their attacks and to make it difficult for security experts to distinguish such campaigns from intelligence gathering.

The Microsoft researchers also believe that using crypto-mining malware could enable BISMUTH group to disguise some of its attacks from IT security teams and trick them into believing that the attacks are low-priority random intrusions.

The researchers observed BISMUTH sending specially crafted malicious emails from a Gmail account in an effort to gain initial access to the victim's network.

"Each email was sent to only one recipient at each target organisation and used tailored subject lines and lure themes," they said.

The group also used DLL side-loading technique, in which a legitimate library is replaced with a malicious variant. To facilitate this, BISMUTH introduced outdated versions of applications including Microsoft Defender Antivirus.

As victims worked to remove malware from their networks, they observed continued activity by the threat group, including movement of malware and DLLs laterally to other devices.

Microsoft advises organisations to "prioritise reducing the attack surface" and to "harden networks against the full range of attacks".

Organisations also need to educate end users about "protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity," the researchers say.