Operation SignSight: Supply chain attack against certification authority in Southeast Asia

ESET researchers have discovered a supply chain attack on a government website in Southeast Asia.

Just weeks after the supply chain attack on Able Desktop software, another similar attack took place on the Vietnam Government Certification Authority (VGCA) website: ca.gov.vn. The attackers modified two of the software installers available for download on this website and backed up it to corrupt users of the legitimate application.

ESET researchers discovered this new supply chain attack in early December 2020 and contacted the at-risk group and the VNCERT. We believe that the website has not been delivering affiliate software installers at the end of August 2020 and ESET telemetry data does not indicate that the at-risk installers are being compromised. spread elsewhere. The Vietnam Government’s Testimonial Authority confirmed that they were aware of the attack before we contacted them and contacted the users who downloaded the trojanized software.

Supply chain attack in Vietnam

In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforcement as “wet” signatures. In accordance with Decree No. 130/2018, the cryptographic certificates used to sign documents must be provided by one of the authorized certificate providers comprising the VGCA, which is part of the Committee Government Cipher. That committee, in turn, is responsible for the Ministry of Information and Communications.

In addition to issuing certificates, the VGCA develops and distributes a digital signature tool. It is used by the Vietnamese government, and possibly private companies, to sign digital documents. The negotiation of a certificate authority website is a good opportunity for APT organizations, as visitors are likely to have high trust in a state agency with responsibility for digital signatures.

As can be seen in Figure 1, these programs appear to be in use in both the Party and State groups.

Figure 1. Screenshot of ca.gov.vn

According to ESET telemetry, ca.gov.vn was negotiated from at least 23rd from July to the 16thth in August 2020. Two of the installers are available for download, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, was modified to include a piece of malware called PhantomNet or SManager and was recently scanned by NTT Security. We were able to confirm that these installers were downloaded from ca.gov.vn over HTTPS protocol, so we think it is unlikely to be a one-to-one attack. The URLs identifying malicious installers were:

  • https://ca.gov[.]vn / documents / 20182/6768590 / gca01-client-v2-x64-8.3.msi
  • https://ca.gov[.]vn / documents / 20182/6768590 / gca01-client-v2-x32-8.3.msi

This is also confirmed by data from VirusTotal as shown in Figure 2.

Figure 2. Screenshot of VirusTotal. It shows the URL where the trojanized installer was downloaded.

The trojanized installers are not signed correctly but we have noticed that clean GCA installers are also incorrectly signed (The item was not confirmed by a digital signature). Both official and trojanized MSI use a certificate assigned to the Safenet company.

Figure 3 is a summary of the supply chain attack. In order to be compromised, a user had to manually download and execute the configuration software on the official website.

Figure 3. Simplified scheme of the supply chain attack.

Once downloaded and executed, the installer starts the actual GCA program and the malicious file. The malicious file is being written to C: Program Files VGCA Authentication SAC x32 eToken.exe. By installing the valid program as well, the attackers ensure that the end users will not easily notice this compromise.

This malicious file is a simple dropper that extracts a Windows cabinet file (.tagsaidh) named 7z.cab and in which the background.

If the dropper is running as an administrator, write to the backdoor C: Windows apppatch netapi32.dll and for stability, the dropper registers the malicious DLL as service.

If it is run as a regular user, it will be written to the backdoor % TEMP% Wmedia .tmp and for their stability, the dropper creates a scheduled action that announces export Entery of the malicious DLL. It is interesting to note that the Entery exports were also seen in versions of TManger used by TA428, as defined by NTT Security.

PhantomNet

The backdoor was announced Smanager_ssl.DLL with the developers but we use PhantomNet, as that was the name of the project used in an older version of this background. This latest version was compiled on the 26thth of April 2020, almost two months before the attack on the supply chain. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately we have not found the means of delivery in these cases.

This background is pretty straightforward and most of the malicious capabilities seem to be exploited through additional plugins. It can retrieve and use the victim’s surrogate arrangement to reach out to the command and control (C&C) server. This indicates that the targets are likely to work in a corporate network.

PhantomNet uses the HTTPS protocol to communicate with their hard-coded C&C servers: vgca.homeunix[.]org and oifis365.blogdns[.]com. To prevent a man-to-middle attack, PhantomNet implements certificate pinning, using actions from the SSPI library. The certificate is downloaded through the first connection to the C&C server and then stored in the Windows certificate store.

In addition to using dynamic DNS providers, it is interesting to note that the name of the first subdomain, vgca, was chosen to mark the name of the Vietnamese Government Certificate Authority.

The implant can be controlled by the invaders using these five commands:

Command ID Description
0x00110020 Obtain victim information (computer name, hostname, username, OS version, user privileges (admin or not), and the public IP address by querying ipinfo.io).
0x00110030 Phone to DeletePluginObject export of all installed plugins.
0x00110040 Plugin management (install, uninstall, update). The plugins have the following outputs (including the typo in the first one): GetPluginInfomation, GetRegisterCode, GetPluginObject, DeletePluginObject.
0x00110070 Set a specific field value in the main backend structure.
0x547CBA78 Create and set a password using SSPI functions. The final cause is unknown.


E: WorkCode AD_Attacker Server EXE_DEBUG SnowballS.pdbOn VirusTotal, we found one plugin that matches the above export. It’s a debate build and is named SnowballS according to its PDB and other discussion paths:

  • e: workcode ad_attacker server plugins plugins snowballs cdomainquery.cpp

An original, cursory study suggests that this tool could be used for lateral movement, as it incorporates Invoke-Mimikatz. It can also collect information about the victim device and user accounts. This indicates that PhantomNet will receive additional and complex plugins that are likely to be used only on devices of particular interest to the malware operators.

Regarding the attack in Vietnam, we were unable to recover data on post-compromise activity and so we are not visible to the final target of the attackers.

Conclusion

With the Able Desktop compromise, the attack on WIZVERA VeraPort by Lazarus and the recent supply chain attack on SolarWinds Orion, we see that supply chain attacks of compromise vectors are quite common for cyberespionage groups. In this particular case, they damaged the Vietnamese certification authority website, in which users tend to have high trust.

Supply chain attacks are usually hard to find, because the malicious code is hidden among many legitimate code, making it much harder to find.

For any questions, please contact us at [email protected]. Compromise tokens can be found in our GitHub repository.

Files

SHA-1 ESET search name Description
5C77A18880CF58DF9FBA102DD8267C3F369DF449 Win32 / TrojanDropper.Agent.SJQ Trojanized Installer (gca01-client-v2-x64-8.3.msi)
B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A Win32 / TrojanDropper.Agent.SJQ Trojanized Installer (gca01-client-v2-x32-8.3.msi)
9522F369AC109B03E6C16511D49D1C5B42E12A44 Win32 / TrojanDropper.Agent.SJQ PhantomNet Dropper
989334094EC5BA8E0E8F2238CDF34D5C57C283F2 Win32 / PhantomNet.B PhantomNet
5DFC07BB6034B4FDA217D96441FB86F5D43B6C62 Win32 / PhantomNet.A Plug PhantomNet

C&C Attendants
oifis365.blogdns[.]com
vgca.homeunix[.]org

MITER ATT & CK

Note: This table was built using version 8 of the MITER ATT & CK frame.

Tactic ID Name Description
First access T1195.002 Supply chain balancing: supply chain compromise software Attackers modified the GCA01 software installer hosted on ca.gov.vn and backed up the MSI installer.
Execution T1204.002 User execution: malicious file The victim has to execute the trojanized installer manually.
Sustainability T1053.005 Scheduled Task / Activity: Scheduled Task If the user does not have administrative privileges, PhantomNet will continue through registered action.
T1543.003 Create or modify a system process: Windows service If the user has administrative privileges, PhantomNet also runs through the Windows service.
Find T1033 System Owner / User Search PhantomNet implements a function to recover the username.
T1082 Find System Information PhantomNet implements an action to get the OS version back.
Order and Control T1090.001 Proxy: An internal proxy PhantomNet can retrieve the default browser proxy configuration and use it to connect to the C&C server.
T1071.001 Application Format Protocol: Web Protocols PhantomNet uses HTTPS.
T1573.002 Encrypted channel: incomparable encryption PhantomNet can add a certificate to the Windows repository and use it for pinning a certificate for its HTTPS communication.

Source