ESET researchers have discovered a supply chain attack on a government website in Southeast Asia.
Just weeks after the supply chain attack on Able Desktop software, another similar attack took place on the Vietnam Government Certification Authority (VGCA) website: ca.gov.vn. The attackers modified two of the software installers available for download on this website and backed up it to corrupt users of the legitimate application.
ESET researchers discovered this new supply chain attack in early December 2020 and contacted the at-risk group and the VNCERT. We believe that the website has not been delivering affiliate software installers at the end of August 2020 and ESET telemetry data does not indicate that the at-risk installers are being compromised. spread elsewhere. The Vietnam Government’s Testimonial Authority confirmed that they were aware of the attack before we contacted them and contacted the users who downloaded the trojanized software.
Supply chain attack in Vietnam
In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforcement as “wet” signatures. In accordance with Decree No. 130/2018, the cryptographic certificates used to sign documents must be provided by one of the authorized certificate providers comprising the VGCA, which is part of the Committee Government Cipher. That committee, in turn, is responsible for the Ministry of Information and Communications.
In addition to issuing certificates, the VGCA develops and distributes a digital signature tool. It is used by the Vietnamese government, and possibly private companies, to sign digital documents. The negotiation of a certificate authority website is a good opportunity for APT organizations, as visitors are likely to have high trust in a state agency with responsibility for digital signatures.
As can be seen in Figure 1, these programs appear to be in use in both the Party and State groups.
According to ESET telemetry, ca.gov.vn was negotiated from at least 23rd from July to the 16thth in August 2020. Two of the installers are available for download, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, was modified to include a piece of malware called PhantomNet or SManager and was recently scanned by NTT Security. We were able to confirm that these installers were downloaded from ca.gov.vn over HTTPS protocol, so we think it is unlikely to be a one-to-one attack. The URLs identifying malicious installers were:
- https://ca.gov[.]vn / documents / 20182/6768590 / gca01-client-v2-x64-8.3.msi
- https://ca.gov[.]vn / documents / 20182/6768590 / gca01-client-v2-x32-8.3.msi
This is also confirmed by data from VirusTotal as shown in Figure 2.
The trojanized installers are not signed correctly but we have noticed that clean GCA installers are also incorrectly signed (The item was not confirmed by a digital signature). Both official and trojanized MSI use a certificate assigned to the Safenet company.
Figure 3 is a summary of the supply chain attack. In order to be compromised, a user had to manually download and execute the configuration software on the official website.
Once downloaded and executed, the installer starts the actual GCA program and the malicious file. The malicious file is being written to C: Program Files VGCA Authentication SAC x32 eToken.exe. By installing the valid program as well, the attackers ensure that the end users will not easily notice this compromise.
This malicious file is a simple dropper that extracts a Windows cabinet file (.tagsaidh) named 7z.cab and in which the background.
If the dropper is running as an administrator, write to the backdoor C: Windows apppatch netapi32.dll and for stability, the dropper registers the malicious DLL as service.
If it is run as a regular user, it will be written to the backdoor % TEMP% Wmedia
The backdoor was announced Smanager_ssl.DLL with the developers but we use PhantomNet, as that was the name of the project used in an older version of this background. This latest version was compiled on the 26thth of April 2020, almost two months before the attack on the supply chain. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately we have not found the means of delivery in these cases.
This background is pretty straightforward and most of the malicious capabilities seem to be exploited through additional plugins. It can retrieve and use the victim’s surrogate arrangement to reach out to the command and control (C&C) server. This indicates that the targets are likely to work in a corporate network.
PhantomNet uses the HTTPS protocol to communicate with their hard-coded C&C servers: vgca.homeunix[.]org and oifis365.blogdns[.]com. To prevent a man-to-middle attack, PhantomNet implements certificate pinning, using actions from the SSPI library. The certificate is downloaded through the first connection to the C&C server and then stored in the Windows certificate store.
In addition to using dynamic DNS providers, it is interesting to note that the name of the first subdomain, vgca, was chosen to mark the name of the Vietnamese Government Certificate Authority.
The implant can be controlled by the invaders using these five commands:
|0x00110020||Obtain victim information (computer name, hostname, username, OS version, user privileges (admin or not), and the public IP address by querying ipinfo.io).|
|0x00110030||Phone to DeletePluginObject export of all installed plugins.|
|0x00110040||Plugin management (install, uninstall, update). The plugins have the following outputs (including the typo in the first one): GetPluginInfomation, GetRegisterCode, GetPluginObject, DeletePluginObject.|
|0x00110070||Set a specific field value in the main backend structure.|
|0x547CBA78||Create and set a password using SSPI functions. The final cause is unknown.|
E: WorkCode AD_Attacker Server EXE_DEBUG SnowballS.pdbOn VirusTotal, we found one plugin that matches the above export. It’s a debate build and is named SnowballS according to its PDB and other discussion paths:
- e: workcode ad_attacker server plugins plugins snowballs cdomainquery.cpp
An original, cursory study suggests that this tool could be used for lateral movement, as it incorporates Invoke-Mimikatz. It can also collect information about the victim device and user accounts. This indicates that PhantomNet will receive additional and complex plugins that are likely to be used only on devices of particular interest to the malware operators.
Regarding the attack in Vietnam, we were unable to recover data on post-compromise activity and so we are not visible to the final target of the attackers.
With the Able Desktop compromise, the attack on WIZVERA VeraPort by Lazarus and the recent supply chain attack on SolarWinds Orion, we see that supply chain attacks of compromise vectors are quite common for cyberespionage groups. In this particular case, they damaged the Vietnamese certification authority website, in which users tend to have high trust.
Supply chain attacks are usually hard to find, because the malicious code is hidden among many legitimate code, making it much harder to find.
For any questions, please contact us at [email protected] Compromise tokens can be found in our GitHub repository.
|SHA-1||ESET search name||Description|
|5C77A18880CF58DF9FBA102DD8267C3F369DF449||Win32 / TrojanDropper.Agent.SJQ||Trojanized Installer (gca01-client-v2-x64-8.3.msi)|
|B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A||Win32 / TrojanDropper.Agent.SJQ||Trojanized Installer (gca01-client-v2-x32-8.3.msi)|
|9522F369AC109B03E6C16511D49D1C5B42E12A44||Win32 / TrojanDropper.Agent.SJQ||PhantomNet Dropper|
|989334094EC5BA8E0E8F2238CDF34D5C57C283F2||Win32 / PhantomNet.B||PhantomNet|
|5DFC07BB6034B4FDA217D96441FB86F5D43B6C62||Win32 / PhantomNet.A||Plug PhantomNet|
MITER ATT & CK
Note: This table was built using version 8 of the MITER ATT & CK frame.
|First access||T1195.002||Supply chain balancing: supply chain compromise software||Attackers modified the GCA01 software installer hosted on ca.gov.vn and backed up the MSI installer.|
|Execution||T1204.002||User execution: malicious file||The victim has to execute the trojanized installer manually.|
|Sustainability||T1053.005||Scheduled Task / Activity: Scheduled Task||If the user does not have administrative privileges, PhantomNet will continue through registered action.|
|T1543.003||Create or modify a system process: Windows service||If the user has administrative privileges, PhantomNet also runs through the Windows service.|
|Find||T1033||System Owner / User Search||PhantomNet implements a function to recover the username.|
|T1082||Find System Information||PhantomNet implements an action to get the OS version back.|
|Order and Control||T1090.001||Proxy: An internal proxy||PhantomNet can retrieve the default browser proxy configuration and use it to connect to the C&C server.|
|T1071.001||Application Format Protocol: Web Protocols||PhantomNet uses HTTPS.|
|T1573.002||Encrypted channel: incomparable encryption||PhantomNet can add a certificate to the Windows repository and use it for pinning a certificate for its HTTPS communication.|