SecurityBrief Asia logo
Story image

Advanced threat actors engaged in cyberespionage up their game

Advanced threat actors engaged in cyberespionage in the Asia Pacific have upped their game in a new campaign, according to Kaspersky.

In June 2020, Kaspersky researchers uncovered an advanced cyberespionage campaign targeting entities in the government and military sector in Vietnam. The final payload is a remote administration tool that provides full control over the infected device. 

Further analysis suggested that this campaign was conducted by a group related to Cycldek, a Chinese-speaking threat group active since at least 2013, and it represents a major step up in terms of sophistication. 

Chinese-speaking threat actors often share their techniques and methodologies with each other, which makes it easier for Kaspersky researchers to hunt for advanced persistent threat (APT) activity related to such well-known cyberespionage groups as LuckyMouse, HoneyMyte, and Cycldek. 

That’s why, when they saw one of their most well-known tactics—“the DLL side-loading triad”—targeting government and military entities in Vietnam, they immediately took notice. 

DLL, or dynamic-link libraries, are pieces of code meant to be used by other programs on a computer. In DLL side-loading, a legitimately signed file (such as from Microsoft Outlook) is tricked into loading a malicious DLL, allowing the attackers to bypass security products. In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload: a remote access Trojan Kaspersky named FoundCore that gives the attackers full control over the infected device.

More interesting, however, was the method used to protect the malicious code from analysis—a method that signals a major advancement in sophistication for attackers in this region. The headers (the destination and source for the code) for the final payload were completely stripped away, and the few that remained contained incoherent values.

In doing this, the attackers make it significantly more difficult for researchers to reverse engineer the malware for analysis. What’s more, the components of the infection chain are tightly coupled, meaning single pieces are difficult—sometimes impossible—to analyse in isolation, preventing a full picture of malicious activity.

Kaspersky researchers also discovered that this infection chain was downloading two additional malware. The first, DropPhone, collects environment information from the victim machine and sends it to DropBox. The second is CoreLoader, which runs code that helps the malware evade detection by security products.

Dozens of computers were affected by this campaign, with 80% of them based in Vietnam. Most belonged to the government or military sector, however, other targets were related to health, diplomacy, education or politics. There were also occasional targets in Central Asia and in Thailand.

“Based on the similarities of the dropped malware with the RedCore malware we discovered last year, we attribute this campaign with low confidence to Cycldek, which, until now, we have considered a less sophisticated Chinese-speaking actor conducting cyberespionage campaigns in this region," says Ivan Kwiatkowski, senior security researcher with Kaspersky’ Global Research and Analysis Team.

"However, this recent activity signals a major leap in their abilities,” he says.

“In general, over the past year, we’ve noticed that many of these Chinese-speaking groups are investing more resources into their campaigns and honing their technical capabilities," Kwiatkowski explains.

Mark Lechtik, senior security researcher at Kaspersky’ Global Research and Analysis Team, adds, "Here, they’ve added many more layers of obfuscation and significantly complicated reverse engineering. And this signals that these groups may be looking to expand their activities. 

"Right now, it may seem as if this campaign is more of a local threat, but it’s highly likely the FoundCore backdoor will be found in more countries in different regions in the future," he says.

Pierre Delcher, senior security researcher, says, “What’s more, given that these Chinese-speaking groups tend to share their tactics with one another, we wouldn’t be surprised to find these same obfuscation tactics in other campaigns. 

"We’ll be monitoring the threat landscape for similar suspicious activity closely. For companies, the best thing they can do is keep their company up-to-date with the latest threat intelligence, so they know what to be on the lookout for."

Story image
Video: 10 Minute IT Jams - SonicWall VP on the cybersecurity lessons learned from the last 12 months
This is our seventh IT Jam with SonicWall, the cybersecurity company specialising in firewall, network security, cloud security and more.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
Users becoming more savvy with COVID phishing scams
“With COVID-19 being around for over a year now and employees becoming more aware of the types of scams that have come out related to the pandemic, cyber criminals are having less success with related phishing attacks."More
Story image
Dell Technologies unveils new data protection innovations for hybrid cloud workloads
The Dell EMC PowerProtect Backup Service, powered by Druva, is designed to deliver SaaS app protection without increasing IT complexity.More