A cyber attack largely targeting Vietnamese recipients has indicated that Chinese-speaking threat actors could potentially be expanding the scope of their cyber espionage campaigns.
This is according to cyber security vendor Kaspersky, which claimed the trend was highlighted in a cyber campaign in June 2020, where a group related to the Chinese-speaking threat actor Cycldek allegedly went after Vietnam’s government and military sectors, as well as other targets in Central Asia and Thailand.
The cyber security vendor reckons that the attack, which allowed the threat actor to gain full control over infected devices, indicated that the group could be looking to expand its capabilities in the Asia Pacific region, as well as share the knowledge behind those capabilities with other groups.
According to Kaspersky, the attack worked through the side-loading of DLL (dynamic-link libraries) — bits of code used by programs — resulting in legitimately signed files loading a malicious DLL and giving attackers the means to circumnavigate security measures.
“In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload: a remote access Trojan Kaspersky named FoundCore that gives the attackers full control over the infected device,” Kaspersky claimed.
The sophistication of the attack came through how the malicious code was protected from analysis — the stripping of the headers, or the destination and source for the code, from the final payload.
“In doing this, the attackers make it significantly more difficult for researchers to reverse engineer the malware for analysis," Kaspersky noted. “What’s more, the components of the infection chain are tightly coupled, meaning single pieces are difficult — sometimes impossible — to analyse in isolation, preventing a full picture of malicious activity.”
In addition, the infection chain also downloaded two types of malware — DropPhone, which sends environment information from the victim machine to DropBox, and CoreLoader, which runs code to avoid being detected by security measures.
Up until this attack, Cycledek was considered by Kaspersky to be a “less-sophisticated Chinese-speaking actor”, according to Ivan Kwiatkowski, senior security researcher with Kaspersky’s Global Research and Analysis Team (GReAT). “However, this recent activity signals a major leap in their abilities,” he said.
According to Mark Lechtik, senior security researcher at GReAT, this one attack is indicative of a larger trend in the region, with many Chinese-speaking groups developing their resources and technical capabilities.
“They’ve added many more layers of obfuscation and significantly complicated reverse engineering. And this signals that these groups may be looking to expand their activities," he said. “Right now, it may seem as if this campaign is more of a local threat, but it’s highly likely the FoundCore backdoor will be found in more countries in different regions in the future."
Additionally, Chinese-speaking groups have previously shared tactics, and GReAT senior security researcher Pierre added he would not be surprised to see similar obfuscation tactics in other campaigns.