Over the last few weeks, we collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations. This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group. In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.<
On the 10th and 3rd of August 2017 two malicious documents exploiting CVE-2012-0158 were submitted to Virus Total:
-
“2017_08_03_Thông báo tổ chức thi đấu môn Tennis và bóng bàn giải CĐTTTT.doc”[1] (58c4d4e0aaefe4c5493243c877bbbe74) .
-
“517_CV-DU 10.8 sao gui CV 950-CV-BTCTW 18.5 sao gửi văn bản xác định tương đương trình độ cao cấp lý luận chính trị.doc” (b147314203f74fdda266805cf6f84876).
When opened, the documents drops Goopdate.dll (c3e9c9e99ed1b1116aaa9f93a36824ff). The samples communicate to dalat.dulichovietnam[.]net on port 53. This communication pattern is detected by a Snort rule by Emerging Threat as Win32/Upgilf[2].
Infrastructure
dulichovietnam[.]net has the following subdomains:
-
hanoi.danang.dulichovietnam[.]net
-
dalat.dulichovietnam[.]net
-
hanoi.dulichovietnam[.]netד
-
danang.dulichovietnam[.]net
-
dalat.hanoi.dulichovietnam[.]net
-
hanoi.hanoi.dulichovietnam[.]net
-
danang.danang.dulichovietnam[.]net
-
dalat.dulichovietnam[.]net
-
danang.dalat.dulichovietnam[.]net
-
danang.hanoi.dulichovietnam[.]net
-
dalat.dalat.dulichovietnam[.]net
-
hanoi.dalat.dulichovietnam[.]net
-
dulichovietnam[.]net
These subdomains pointed to various IP addresses:
-
209.58.179.202
-
209.58.176.46
-
188.42.254.112
-
66.154.125.145
-
176.223.165.165
-
60.251.29.40
Based on passive DNS by Passive Total we learn that these IPs were pointed to by the following hosts:
-
anh.phimhainhat[.]net
-
data.dcsvn[.]org
-
data.phimnoi[.]org
-
dav.thanhnlen[.]com
-
home.phimnoi[.]org
-
home.vietnamplos[.]com
-
login.phimhainhat[.]net
-
login.phimnoi[.]org
-
my.phimhainhat[.]net
-
news.phapluats[.]com
-
news.vietnannet[.]com
-
vietnam.phimhainhat[.]net
Some of them, such as dcsvn[.]org, have been active since 2015 and were mentioned in a post titled “Malware attacking Vietnam Airlines appears in many other agencies” by Bkav. where some of the domains were previously linked to a those are believed to be members of China’s 1937cn group
209.58.179.202 for example, hosted the following domains:
Droppers
Below are droppers doc files from the campaign, going back to January 2016 (We would like to thank Gabor Szappanos for his help in this research):
The Maltego graph below depicts the relationship among the indicators (click to enlarge):
The Votiro team continues to stay on the lookout for any current cyber events or threats as providing the most comprehensive protection for our customers is essential and our top priority.
By continuing our research our goal is stay ahead of the next cyber threat and ensure our customers protection
[1] 2017_08_03_Information of Tennis and Table Tennis Championship [2] We used the MalNet Maltego transform with ProofPoint Data for this research. The Emerging threat rule matched on “2820073 – ETPRO TROJAN Win32/Upgilf CnC Beacon”. [3]http://security.bkav.com/home/-/blogs/malware-attacking-vietnam-airlines-appears-in-many-other-agenci-1/normal?p_p_auth=DHFn7deT