cyber attack

Cycldek’s espionage activities against the Vietnamese government

Researchers discovered an advanced cyber espionage campaign against Vietnamese government and military entities. The campaign provided FoundCore, a remote access tool used to perform espionage activities. This malware allows to perform file system control, process control, screenshot capture, and arbitrary Command execution and other functions. Through further analysis, the attack was attributed to the Cycldek group with a moderate degree of confidence.

The Cycldek group has been active since 2013 and is known for targeting the governments of Southeast Asian countries and their preference for Vietnam’s goals.

The attack took place between June 2020 and January 2021. According to telemetry data, about dozens of groups were affected. 80% of these groups are located in Vietnam and belong to the government or military departments. Other groups are related to health. , Related to diplomacy, education or politics. In addition, some targets have been found in Central Asia and Thailand.

The attacker uses the legitimate component FINDER.exe (Microsoft Outlook) to load the malicious library outlib.dll file, which is used to hijack the expected execution flow of the program to decode and run the shellcode, and place it in the rdmin.src binary file. After decoding The is actually a remote control access tool named “FoundCore”. The infection process is as follows:

cycldek

According to the researcher, in the recent attack, the attacker also downloaded two other types of malware called DropPhone and CoreLoader. The former collects environmental information from the victim machine and sends it to DropBox, and the latter runs code to evade detection by security products. The researchers also observed that CoreLoader and FoundCore overlapped with the RedCore Loader used by the Cycldek group in terms of code, and the goals targeted by the Cycldek group were consistent with this action. Therefore, the researchers attributed the attack to Cycldek with a moderate degree of confidence.

Conclusion

No matter which group planned this operation, it has shown that it has greatly improved its complexity. The tool chain used in the attack is deliberately divided into a series of interdependent components that function as a whole. It is difficult (and sometimes impossible) to analyze individual components because they rely on code or data provided by other stages in the infection chain.

IOCs

phong.giaitrinuoc.com
cloud.cutepaty.com
static.phongay.com


F267B1D3B3E16BE366025B11176D2ECB
DF46DA80909A6A641116CB90FA7B8258
6E36369BF89916ABA49ECA3AF59D38C6
60095B281E32DAD2B58A10005128B1C3
1234A7AACAE14BDD94EEE6F44F7F4356
34977e351c9d0e9155c6e016669a4f085b462762
492d3b5beb89c1abf88ff866d200568e9cad7bb299700aa29ab9004c32c7c805