New APT Group ‘Lotus Bane’ Behind Recent Attacks on Vietnam’s Financial Entities

New APT Group ‘Lotus Bane’ Behind Recent Attacks on Vietnam’s Financial Entities

A financial entity in Vietnam was the target of a previously undocumented threat actor called Lotus Bane as part of a cyber attack that was first detected in March 2023.

Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that’s believed to have been active since at least 2022.

Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes communication.

It’s worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyber attack targeting an unnamed Vietnamese organization in late December 2022.

The development comes as financial organizations across Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the target of several advanced persistent threat groups such as Blind Eagle and the Lazarus Group over the past year.

Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switch servers with the goal of infecting them with a custom malware called CAKETAP.

UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards.

“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today’s digital landscape.”