On August, Votiro Labs collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations. This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group.
In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.
On the 10th and 3rd of August 2017
Two malicious documents exploiting CVE-2012-0158 were submitted to Virus Total:
- “2017_08_03_Thông báo tổ chức thi đấu môn Tennis và bóng bàn giải CĐTTTT.doc” (58c4d4e0aaefe4c5493243c877bbbe74) .
- “517_CV-DU 10.8 sao gui CV 950-CV-BTCTW 18.5 sao gửi văn bản xác định tương đương trình độ cao cấp lý luận chính trị.doc” (b147314203f74fdda266805cf6f84876).
When opened, the documents drops Goopdate.dll (c3e9c9e99ed1b1116aaa9f93a36824ff). The samples communicate to dalat.dulichovietnam[.]net on port 53. This communication pattern is detected by a Snort rule by Emerging Threat as Win32/Upgilf.
In this picture we can see infrastructure: dulichovietnam.net has the following subdomains:
- hanoi.danang.dulichovietnam[.]net - dalat.dulichovietnam.net - hanoi.dulichovietnam.net - danang.dulichovietnam.net - dalat.hanoi.dulichovietnam.net - hanoi.hanoi.dulichovietnam.net - danang.danang.dulichovietnam.net - dalat.dulichovietnam.net - danang.dalat.dulichovietnam.net - danang.hanoi.dulichovietnam.net - dalat.dalat.dulichovietnam.net - hanoi.dalat.dulichovietnam.net - dulichovietnam.net
And these subdomains pointed to various IP addresses:
- 126.96.36.199 - 188.8.131.52 - 184.108.40.206 - 220.127.116.11 - 18.104.22.168 - 22.214.171.124
Based on passive DNS by Passive Total Votiro Labs learn that these IPs were pointed to by the following hosts:
- anh.phimhainhat.net - data.dcsvn.org - data.phimnoi.org - dav.thanhnlen.com - home.phimnoi.org - home.vietnamplos.com - login.phimhainhat.net - login.phimnoi.org - my.phimhainhat.net - news.phapluats.com - news.vietnannet.com - vietnam.phimhainhat.net
Some of them, such as dcsvn.org, have been active since 2015 and were mentioned in a post titled “Malware attacking Vietnam Airlines appears in many other agencies” by Bkav. where some of the domains were previously linked to a those are believed to be members of China’s 1937cn group.
There are also many similar files in this campaign. As list below provided by Gabor Szappanos:
The Maltego graph below depicts the relationship among the indicators:
We will track the activities of this hacking campaign then update this article later.