i A new hacking campaign targeting Vietnamese organisations on August 2017 – All things in moderation

A new hacking campaign targeting Vietnamese organisations on August 2017

On August, Votiro Labs collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations. This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group.

vietnamese cyber attack weapon

Chinese 1937CN group

In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.

On the 10th and 3rd of August 2017

Two malicious documents exploiting CVE-2012-0158 were submitted to Virus Total:

  1. “2017_08_03_Thông báo tổ chức thi đấu môn Tennis và bóng bàn giải CĐTTTT.doc”[1] (58c4d4e0aaefe4c5493243c877bbbe74) .
  2. “517_CV-DU 10.8 sao gui CV 950-CV-BTCTW 18.5 sao gửi văn bản xác định tương đương trình độ cao cấp lý luận chính trị.doc” (b147314203f74fdda266805cf6f84876).

When opened, the documents drops Goopdate.dll (c3e9c9e99ed1b1116aaa9f93a36824ff). The samples communicate to dalat.dulichovietnam[.]net on port 53. This communication pattern is detected by a Snort rule by Emerging Threat as Win32/Upgilf[2].

In this picture we can see infrastructure: dulichovietnam.net has the following subdomains:

- hanoi.danang.dulichovietnam[.]net
- dalat.dulichovietnam.net
- hanoi.dulichovietnam.net
- danang.dulichovietnam.net
- dalat.hanoi.dulichovietnam.net
- hanoi.hanoi.dulichovietnam.net
- danang.danang.dulichovietnam.net
- dalat.dulichovietnam.net
- danang.dalat.dulichovietnam.net
- danang.hanoi.dulichovietnam.net
- dalat.dalat.dulichovietnam.net
- hanoi.dalat.dulichovietnam.net
- dulichovietnam.net

And these subdomains pointed to various IP addresses:

- 209.58.179.202
- 209.58.176.46
- 188.42.254.112
- 66.154.125.145
- 176.223.165.165
- 60.251.29.40

Based on passive DNS by Passive Total Votiro Labs learn that these IPs were pointed to by the following hosts:

- anh.phimhainhat.net
- data.dcsvn.org
- data.phimnoi.org
- dav.thanhnlen.com
- home.phimnoi.org
- home.vietnamplos.com
- login.phimhainhat.net
- login.phimnoi.org
- my.phimhainhat.net
- news.phapluats.com
- news.vietnannet.com
- vietnam.phimhainhat.net

Some of them, such as dcsvn.org, have been active since 2015 and were mentioned in a post titled “Malware attacking Vietnam Airlines appears in many other agencies” by Bkav. where some of the domains were previously linked to a those are believed to be members of China’s 1937cn group.

There are also many similar files in this campaign. As list below provided by Gabor Szappanos:

The Maltego graph below depicts the relationship among the indicators:

We will track the activities of this hacking campaign then update this article later.

Source: https://www.votiro.com

Leave a Reply