Over the last few weeks, we collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations. This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group. In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.
On the 10th and 3rd of August 2017 two malicious documents exploiting CVE-2012-0158 were submitted to Virus Total:
- “2017_08_03_Thông báo tổ chức thi đấu môn Tennis và bóng bàn giải CĐTTTT.doc” (58c4d4e0aaefe4c5493243c877bbbe74) .
- “517_CV-DU 10.8 sao gui CV 950-CV-BTCTW 18.5 sao gửi văn bản xác định tương đương trình độ cao cấp lý luận chính trị.doc” (b147314203f74fdda266805cf6f84876).
When opened, the documents drops Goopdate.dll (c3e9c9e99ed1b1116aaa9f93a36824ff). The samples communicate to dalat.dulichovietnam[.]net on port 53. This communication pattern is detected by a Snort rule by Emerging Threat as Win32/Upgilf…Click HERE to read full research.