6 April 2021

China-linked hackers target government, military entities in Vietnam


China-linked hackers target government, military entities in Vietnam

Security researchers at Kaspersky Lab revealed a sophisticated cyber-espionage campaign aimed at the government and military sector in Vietnam. The researchers have attributed this campaign to a China-linked threat actor, known as Cycldek, Goblin Panda and Conimes, which has been active since at least 2013.

The campaign first spotted in June 2020 involves the DLL side-loading infection chain used to deliver the FoundCore RAT (remote access trojan) that gives attackers full control over the compromised device.

As part of a recent attack on a high-profile Vietnamese organization the attackers abused a legitimate component from Microsoft Outlook to load a malicious DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.

Once executed, the malware would start four processes: one that establishes persistence by creating a service; the second process sets inconspicuous information for the service by changing its “Description”, “ImagePath”, “DisplayName” fields (among others); the third one sets an empty DACL (corresponding to the SDDL string “D:P”) to the image associated to the current process in order to prevent access to the underlying malicious file; and the fourth one established connection to the attackers’ command and control server.

In addition to FoundCore, the infection chain has been observed downloading two malicious programs - DropPhone, a malware which gathers environment information from the victim machine and sends it to DropBox, and CoreLoader, a shellcode loader which runs code that helps the malware evade detection by security solutions.

“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky noted.

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021