Just a few weeks after the supply-chain attack on the Able Desktop software, another similar attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.
ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.
Supply-chain attack in Vietnam
In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures. According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.
In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures.
As shown in Figure 1, it seems that these programs are deployed in the Party and State agencies.
According to ESET telemetry, ca.gov.vn was compromised from at least the 23rd of July to the 16th of August 2020. Two of the installers available for download, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security. We were able to confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so we believe it is unlikely to be a man-in-the-middle attack. The URLs pointing to malicious installers were:
- https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x64-8.3.msi
- https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x32-8.3.msi
This is also confirmed by data from VirusTotal as shown in Figure 2.
The trojanized installers are not properly signed, but we noticed that clean GCA installers are also incorrectly signed (The digital signature of the object did not verify). Both the official and trojanized MSIs use a certificate assigned to the Safenet company.
Figure 3 is a summary of the supply-chain attack. To be compromised, a user would have to manually download and execute the compromised software hosted on the official website.
Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by the end-users.
This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains the backdoor.
If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for the persistence, the dropper registers the malicious DLL as a service.
If run as a regular user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entery of the malicious DLL. It’s interesting to note that the Entery export was also seen in versions of TManger used by TA428, as detailed by NTT Security.
PhantomNet
The backdoor was named Smanager_ssl.DLL by its developers but we use PhantomNet, as that was the project name used in an older version of this backdoor. This most recent version was compiled on the 26th of April 2020, almost two months before the supply-chain attack. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately we did not uncover the delivery mechanism in those cases.
This backdoor is quite simple and most of the malicious capabilities are likely deployed through additional plugins. It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server. This shows that the targets are likely to be working in a corporate network.
PhantomNet uses the HTTPS protocol to communicate with its hardcoded C&C servers: vgca.homeunix[.]org and office365.blogdns[.]com. In order to prevent a man-in-the-middle attack, PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.
In addition to the use of dynamic DNS providers, it is interesting to note that the name of the first subdomain, vgca, was chosen in order to mimic the name of the Vietnam Government Certification Authority.
The implant can be controlled by the attackers using these five commands:
Command ID
Description
0x00110020
Get victim information (computer name, hostname, username, OS version, user privileges (admin or not), and the public IP address by querying ipinfo.io).
0x00110030
Call the export DeletePluginObject of all installed plugins.
0x00110040
Plugin management (install, remove, update). The plugins have the following exports (including the typo in the first one): GetPluginInfomation, GetRegisterCode, GetPluginObject, DeletePluginObject.
0x00110070
Set a value of a given field in the main structure of the backdoor.
0x547CBA78
Generate and set a password using the SSPI functions. The final purpose is unknown.
On VirusTotal, we found one plugin that matches the exports above. It is a debug build and is named SnowballS according to its PDB path and other debug paths:
- E:\WorkCode\AD_Attacker\Server\EXE_DEBUG\SnowballS.pdb
- e:\workcode\ad_attacker\server\plugins\plugins\snowballs\cdomainquery.cpp
An initial, cursory analysis suggests that this tool might be used for lateral movement, as it embeds Invoke-Mimikatz. It can also collect information about the victim machine and user accounts. This shows that PhantomNet can receive additional and complex plugins that are probably only deployed on machines of particular interest to the malware operators.
In the case of the attack in Vietnam, we were not able to recover data about post-compromise activity and thus we don’t have visibility into the end goal of the attackers.
Conclusion
With the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply-chain attack on SolarWinds Orion, we see that supply-chain attacks are a quite common compromise vector for cyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.
Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult.
For any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found in our GitHub repository.
IoCs
Files
SHA-1 | ESET detection name | Description |
---|---|---|
5C77A18880CF58DF9FBA102DD8267C3F369DF449 | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x64-8.3.msi) |
B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x32-8.3.msi) |
9522F369AC109B03E6C16511D49D1C5B42E12A44 | Win32/TrojanDropper.Agent.SJQ | PhantomNet dropper |
989334094EC5BA8E0E8F2238CDF34D5C57C283F2 | Win32/PhantomNet.B | PhantomNet |
5DFC07BB6034B4FDA217D96441FB86F5D43B6C62 | Win32/PhantomNet.A | PhantomNet plugin |
C&C servers
office365.blogdns[.]com
vgca.homeunix[.]org
MITRE ATT&CK
Note: This table was built using version 8 of the MITRE ATT&CK framework.
Tactic | ID | Name | Description |
---|---|---|---|
Initial Access | T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Attackers modified the installer of the GCA01 software that is hosted on ca.gov.vn and added a backdoor to the MSI installer. |
Execution | T1204.002 | User Execution: Malicious File | The victim needs to manually execute the trojanized installer. |
Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | If the user doesn’t have admin privileges, PhantomNet persists via a scheduled task. |
T1543.003 | Create or Modify System Process: Windows Service | If the user has admin privileges, PhantomNet persists via a Windows service. | |
Discovery | T1033 | System Owner/User Discovery | PhantomNet implements a function to retrieve the username. |
T1082 | System Information Discovery | PhantomNet implements a function to retrieve the OS version. | |
Command and Control | T1090.001 | Proxy: Internal Proxy | PhantomNet can retrieve the proxy configuration of the default browser and use it to connect to the C&C server. |
T1071.001 | Application Layer Protocol: Web Protocols | PhantomNet uses HTTPS. | |
T1573.002 | Encrypted Channel: Asymmetric Cryptography | PhantomNet can add a certificate to the Windows store and use it for certificate pinning for its HTTPS communications. |