Earlier in June last year, Kaspersky discovered an advanced cyberespionage campaign that was targeting entities in the government and military sectors in Vietnam. The final aim of these hackers is to put in a remote administration tool that gives them full control over the infected device. Analysis suggested that this attack was being conducted by a group of threat actors related to Cycldek. Cycldek is a Chinese-speaking threat group that’s been active since 2013 and they are known for their sophisticated and advanced methods of cyberattacks.
As Kaspersky revealed in their report, these Chinese-speaking threat actors “often share their techniques and methodologies with each other” which makes it easier for cybercrime researchers like Kaspersky to hunt for advanced persistent threat (APT) activity. And going by this research, Kaspersky has discovered how well-known cyberespionage groups like LuckyMouse, HoneyMyte, and Cycldek work. And that’s exactly why the very moment one of the most well-known tactics of these threat actors, the DLL side-loading triad, was spotted in the attacks targeting government and military entities in Vietnam, it was immediately brought to notice.
DLL, or dynamic-link libraries, are pieces of code meant to be used by other programs on a computer. In DLL side-loading, a legitimate file (such as from Microsoft Outlook) is tricked into loading a malicious DLL. This allows attackers to bypass security products. In this recently discovered campaign involving the entities in Vietnam, the DLL side-loading infection chain executes a shellcode that decrypts the final payload, which is a remote access Trojan that’s been named FoundCore by Kaspersky researchers. FoundCore gives attackers full control over the infected device.
Also, the method used to protect this malicious code from analysis is rather interesting. These threat actors are using a method that signals a major advancement in sophistication for attackers in this region. The headers (the destination and source for the code) for the final payload were completely stripped away, and the few that remained contained incoherent values. With this, the attackers are making it significantly more difficult for researchers to reverse engineer the malware for analysis. The components of the infection chain are also tightly coupled, which means that single pieces are difficult, sometimes almost impossible, to analyse in isolation, thereby preventing a full picture of malicious activity.
Kaspersky researchers also discovered that this infection chain was downloading two additional malware. The first is called DropPhone which collects environment information from the victim machine and sends it to DropBox. The second is called CoreLoader which runs code that helps the malware evade detection by security products.
Dozens of computers have been affected by this campaign, with 80% of them based in Vietnam. Most of these machines belonged to the government or military sector, however, there were other targets as well related to health, diplomacy, education, and politics. There were also occasional targets in Central Asia and in Thailand.
(c) 2021 the Hindustan Times
Distributed by Tribune Content Agency, LLC.