6 April 2021

China-linked hackers target government, military entities in Vietnam


China-linked hackers target government, military entities in Vietnam

Security researchers at Kaspersky Lab revealed a sophisticated cyber-espionage campaign aimed at the government and military sector in Vietnam. The researchers have attributed this campaign to a China-linked threat actor, known as Cycldek, Goblin Panda and Conimes, which has been active since at least 2013.

The campaign first spotted in June 2020 involves the DLL side-loading infection chain used to deliver the FoundCore RAT (remote access trojan) that gives attackers full control over the compromised device.

As part of a recent attack on a high-profile Vietnamese organization the attackers abused a legitimate component from Microsoft Outlook to load a malicious DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.

Once executed, the malware would start four processes: one that establishes persistence by creating a service; the second process sets inconspicuous information for the service by changing its “Description”, “ImagePath”, “DisplayName” fields (among others); the third one sets an empty DACL (corresponding to the SDDL string “D:P”) to the image associated to the current process in order to prevent access to the underlying malicious file; and the fourth one established connection to the attackers’ command and control server.

In addition to FoundCore, the infection chain has been observed downloading two malicious programs - DropPhone, a malware which gathers environment information from the victim machine and sends it to DropBox, and CoreLoader, a shellcode loader which runs code that helps the malware evade detection by security solutions.

“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky noted.

Back to the list

Latest Posts

Member of FIN7 cybercrime group sentenced to 10 years in prison

Member of FIN7 cybercrime group sentenced to 10 years in prison

Fedir Hladyr served as a manager and systems administrator for FIN7.
19 April 2021
NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

Russia-linked hackers are using vulnerabilities in popular enterprise equipment to gain access to corporate networks.
19 April 2021
WordPress says it will treat Google’s FLoC ad tracking technology as security issue

WordPress says it will treat Google’s FLoC ad tracking technology as security issue

While FLoC is more private than cookies, security experts argue that the technology could pose a risk to privacy if not implemented right.
19 April 2021