APT 32 initiates its attack by downloading and executing a VBA script. It then proceeds to execute commands using the Windows Event Log, downloads a file from the internet, and executes a batch script. APT 32 creates persistence in the registry run keys and verifies the success of the created persistence. Then attempts to discover domain admins, steal credentials from the local machine, and use them to attempt lateral movement. It also maps admin shares, logs key inputs, discovers the file and directory structure, receives system information, encrypts files, and compresses and exfiltrates data in parallel. Finally, it lists credential files stored in current user AppData folders, performs DLL Search Order Hijacking, enumerates non-default installed applications, installs and runs a service, and creates a new user.
Login to the community
No account yet? Create an account
Login
CUSTOMER / CYMULATE EMPLOYEE LOGINor
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.