Spy Operations Target Vietnam with Sophisticated RAT

[mood]

Spy Operations Target Vietnam with Sophisticated RAT

 

 

Researchers said the FoundCore malware represents a big step forward when it comes to evasion.

 

An advanced cyberespionage campaign targeting government and military entities in Vietnam has been discovered that delivered a remote-access tool (RAT) for carrying out espionage operations, researchers said.

 

Further analysis suggested that this campaign was conducted by a group related to a Chinese-speaking advanced persistent threat (APT) known as Cycldek (a.k.a. Goblin Panda, APT 27 and Conimes), according to Kaspersky researchers, who added that the group has been active since at least 2013.

The malware used in the campaign, dubbed FoundCore, allows attackers to conduct filesystem manipulation, process manipulation, screenshot captures and arbitrary command execution.

 

It represents a major advancement in sophistication for the group, according to an analysis released Monday by Kaspersky. For instance, the method used to protect the malicious code from analysis is unique for Chinese-speaking groups, researchers said.

“The headers (the destination and source for the code) for the final payload were completely stripped away, and the few that remained contained incoherent values,” they explained. “In doing this, the attackers make it significantly more difficult for researchers to reverse engineer the malware for analysis. What’s more, the components of the infection chain are tightly coupled, meaning single pieces are difficult—sometimes impossible—to analyze in isolation, preventing a full picture of malicious activity.”

 

The FoundCore infection routine (click to enlarge). Source: Kaspersky.

 

The campaign also uses sideloading of dynamic-link libraries (DLLs), which happens when a legitimately signed file is tricked into loading a malicious DLL, allowing the attackers to bypass security products.

“In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload: [FoundCore], that gives the attackers full control over the infected device,” according to the analysis.

FoundCore: 4 Malware Threads

The final payload in the infection chain is a remote administration tool that provides full control over the victim machine to its operators. Upon execution, this malware starts four threads, according to researchers:

• The first one establishes persistence by creating a service.
• The second one sets inconspicuous information for the service by changing its Description, ImagePath and DisplayName fields (among others).
• The third sets an empty Discretionary Access Control List (DACL) to the image associated to the current process in order to prevent access to the underlying malicious file. DACL is an internal list attached to an object in Active Directory that specifies which users and groups can access the object and what kinds of operations they can perform on the object.
• Finally, a worker thread bootstraps execution and establishes connection with the C2 server. Depending on its configuration, it may also inject a copy of itself to another process.

 

Communications with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.

 

In the infection chain, FoundCore was also observed downloading two additional pieces of spyware. The first, DropPhone, collects environmental information from the victim machine and sends it to DropBox. The second, CoreLoader, runs code that helps the malware evade detection by security products.

“In general, over the past year, we’ve noticed that many of these Chinese-speaking groups are investing more resources into their campaigns and honing their technical capabilities,” said Mark Lechtik, senior security researcher with Kaspersky, in the analysis. “Here, they’ve added many more layers of obfuscation and significantly complicated reverse engineering. And this signals that these groups may be looking to expand their activities.”

Vietnam in APT Sights

Kaspersky’s analysis showed that dozens of computers were targeted in the campaign with the vast majority (80 percent) located in Vietnam. The other targets were found in Central Asia and in Thailand.

 

The firm also uncovered that most of the victims belonged to the government or military sector. That said, there were other targeted sectors, including diplomacy, education or healthcare.

“Right now, it may seem as if this campaign is more of a local threat, but it’s highly likely the FoundCore backdoor will be found in more countries in different regions in the future,” Lechtik said.

 

Pierre Delcher, senior security researcher with Kaspersky, added, “What’s more, given that these Chinese-speaking groups tend to share their tactics with one another, we wouldn’t be surprised to find these same obfuscation tactics in other campaigns. We’ll be monitoring the threat landscape for similar suspicious activity closely. For companies, the best thing they can do is keep their company up-to-date with the latest threat intelligence, so they know what to be on the lookout for.”

 

 

Source: Spy Operations Target Vietnam with Sophisticated RAT

[aum]

 

A hacking group related to a Chinese-speaking threat actor has been linked to an advanced cyberespionage campaign targeting government and military organizations in Vietnam.

 

The attacks have been attributed with low confidence to the advanced persistent threat (APT) called Cycldek (or Goblin Panda, Hellsing, APT 27, and Conimes), which is known for using spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the U.S. at least since 2013.

 

According to researchers from Kaspersky, the offensive, which was observed between June 2020 and January 2021, leverages a method called DLL side-loading to execute shellcode that decrypts a final payload dubbed "FoundCore."

 

DLL side-loading has been a tried-and-tested technique used by various threat actors as an obfuscation tactic to bypass antivirus defenses. By loading malicious DLLs into legitimate executables, the idea is to mask their malicious activity under a trusted system or software process.

 

In this infection chain revealed by Kaspersky, a legitimate component from Microsoft Outlook loads a malicious library called "outlib.dll," which "hijacks the intended execution flow of the program to decode and run a shellcode placed in a binary file, rdmin.src."

 

What's more, the malware comes with an extra layer designed explicitly to safeguard the code from security analysis and make it difficult to reverse-engineer. To achieve this, the threat actor behind the malware is said to have scrubbed most of the payload's header, while leaving the rest with incoherent values.

 

 

Kaspersky said the method "signals a major advancement in sophistication for attackers in this region."

 

Besides giving the attackers full control over the compromised device, FoundCore comes with capabilities to run commands for file system manipulation, process manipulation, capturing screenshots, and arbitrary command execution.

 

Infections involving FoundCore were also found to download two additional malware. The first, DropPhone, gathers environment-related information from the victim machine and exfiltrates it to DropBox, while the second, CoreLoader, runs code that enables the malware to thwart detection by security products.

 

The cybersecurity firm theorized the attacks originate with a spear-phishing campaign or other precursor infections, which trigger the download of decoy RTF documents from a rogue website, ultimately leading to the deployment of FoundCore.

 

Among dozens of affected organizations, 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education, or political verticals, with other victims, occasionally spotted in Central Asia and Thailand.

 

"No matter which group orchestrated this campaign, it constitutes a significant step up in terms of sophistication," the researchers concluded. "Here, they've added many more layers of obfuscation and significantly complicated reverse engineering."

 

"And this signals that these groups may be looking to expand their activities. Right now, it may seem as if this campaign is more of a local threat, but it's highly likely the FoundCore backdoor will be found in more countries in different regions in the future," said Kaspersky senior security researcher Mark Lechtik.

 

Source

[Karlston]

Similar topics merged.