Security researchers at Kaspersky Lab revealed a sophisticated cyber-espionage campaign aimed at the government and military sector in Vietnam. The researchers have attributed this campaign to a China-linked threat actor, known as Cycldek, Goblin Panda and Conimes, which has been active since at least 2013.
The campaign first spotted in June 2020 involves the DLL side-loading infection chain used to deliver the FoundCore RAT (remote access trojan) that gives attackers full control over the compromised device.
As part of a recent attack on a high-profile Vietnamese organization the attackers abused a legitimate component from Microsoft Outlook to load a malicious DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.
Once executed, the malware would start four processes: one that establishes persistence by creating a service; the second process sets inconspicuous information for the service by changing its “Description”, “ImagePath”, “DisplayName” fields (among others); the third one sets an empty DACL (corresponding to the SDDL string “D:P”) to the image associated to the current process in order to prevent access to the underlying malicious file; and the fourth one established connection to the attackers’ command and control server.
In addition to FoundCore, the infection chain has been observed downloading two malicious programs - DropPhone, a malware which gathers environment information from the victim machine and sends it to DropBox, and CoreLoader, a shellcode loader which runs code that helps the malware evade detection by security solutions.
“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky noted.