6 April 2021: In June 2020, Kaspersky researchers uncovered an advanced cyberespionage campaign targeting entities in the government and military sector in Vietnam. The final payload is a remote administration tool that provides full control over the infected device. Further analysis suggested that this campaign was conducted by a group related to Cycldek, a Chinese-speaking threat group active since at least 2013, and it represents a major step up in terms of sophistication.
Chinese-speaking threat actors often share their techniques and methodologies with each other, which makes it easier for Kaspersky researchers to hunt for advanced persistent threat (APT) activity related to such well-known cyberespionage groups as LuckyMouse, HoneyMyte, and Cycldek. That’s why, when they saw one of their most well-known tactics—“the DLL side-loading triad”—targeting government and military entities in Vietnam, they immediately took notice.
DLL, or dynamic-link libraries, are pieces of code meant to be used by other programs on a computer. In DLL side-loading, a legitimately signed file is tricked into loading a malicious DLL, allowing the attackers to bypass security products. In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload: a remote access Trojan Kaspersky named, “FoundCore” that gives the attackers full control over the infected device.
More interesting, however, was the method used to protect the malicious code from analysis—a method that signals a major advancement in sophistication for attackers in this region. The headers for the final payload were completely stripped away, and the few that remained contained incoherent values. In doing this, the attackers make it significantly more difficult for researchers to reverse engineer the malware for analysis. What’s more, the components of the infection chain are tightly coupled, meaning single pieces are difficult—sometimes impossible—to analyse in isolation, preventing a full picture of malicious activity.
Kaspersky researchers also discovered that this infection chain was downloading two additional malware. The first, DropPhone, collects environment information from the victim machine and sends it to DropBox. The second is CoreLoader, which runs code that helps the malware evade detection by security products.
Dozens of computers were affected by this campaign, with 80% of them based in Vietnam. Most belonged to the government or military sector, however, other targets were related to health, diplomacy, education or politics. There were also occasional targets in Central Asia and in Thailand.
“Based on the similarities of the dropped malware with the RedCore malware we discovered last year, we attribute this campaign with low confidence to Cycldek, which, until now, we have considered a less sophisticated Chinese-speaking actor conducting cyberespionage campaigns in this region. However, this recent activity signals a major leap in their abilities”, comments Ivan Kwiatkowski, senior security researcher with Kaspersky’ Global Research and Analysis Team.
Learn more about this Cycldek-related campaign on Securelist. Detailed information on Indicators of Compromise related to this group, including file hashes, can be accessed on the Kaspersky Threat Intelligence Portal.
To see the DE obfuscation of this Cycldek-related malware in action and learn how to reverse engineer like GReAT experts, you can join the Targeted Malware Reverse Engineering Workshop on April 8 at 17:00 MSK (18:00 UAE time). This webinar offers a sneak peek at Kaspersky’s brand new, self-study, intermediate-level reverse engineering training. Check out https://xtraining.kaspersky.com for more info.
To protect your company from advanced persistent threat campaigns such as these, Kaspersky expert recommend:
- Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.