6 April 2021

China-linked hackers target government, military entities in Vietnam


China-linked hackers target government, military entities in Vietnam

Security researchers at Kaspersky Lab revealed a sophisticated cyber-espionage campaign aimed at the government and military sector in Vietnam. The researchers have attributed this campaign to a China-linked threat actor, known as Cycldek, Goblin Panda and Conimes, which has been active since at least 2013.

The campaign first spotted in June 2020 involves the DLL side-loading infection chain used to deliver the FoundCore RAT (remote access trojan) that gives attackers full control over the compromised device.

As part of a recent attack on a high-profile Vietnamese organization the attackers abused a legitimate component from Microsoft Outlook to load a malicious DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.

Once executed, the malware would start four processes: one that establishes persistence by creating a service; the second process sets inconspicuous information for the service by changing its “Description”, “ImagePath”, “DisplayName” fields (among others); the third one sets an empty DACL (corresponding to the SDDL string “D:P”) to the image associated to the current process in order to prevent access to the underlying malicious file; and the fourth one established connection to the attackers’ command and control server.

In addition to FoundCore, the infection chain has been observed downloading two malicious programs - DropPhone, a malware which gathers environment information from the victim machine and sends it to DropBox, and CoreLoader, a shellcode loader which runs code that helps the malware evade detection by security solutions.

“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky noted.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024