New research: Docless Vietnam APT. A very interesting malware against Vietnam Government

Tuesday, April 16, 2019

We have detected a malware sent to some email accounts belonging to a Vietnam government domain. This email is written in Vietnamese and is dated March 13th, 2019. It seems to come from an account inside the organization (gov.vn), maybe someone sending it to a security operator, because of resulting suspicious. The attached file resulted in a very interesting infection system. It uses a combination of techniques never seen before, making us think about a very targeted campaign, using interesting resources to specifically infect Vietnam government.

The global view of the threat schema is the following:

Global view of the threat schema image

Although it may look typical, the schema hides some very smart techniques to avoid detection and fool the system. 


Docless DOC with three stages
Inside the ZIP there is no actual file. Instead, we can find a link file with .lnk extension that simulates a document icon. This has been used before by attackers, but it is not a very popular tool. The actual payload resides in the Target property of the link file, where the LNK points to. The target contains MS-DOS obfuscated code to compose itself.

The result (using a technique called "carving") will be a PS file, base64 encoded, saved in %TEMP% variable and named s.ps1. DOS obfuscation refers to a technique based in DOS commands (used for BAT programming) that obfuscates itself using loops, environment variables and composing names taking substrings from filenames, directories, etc.

This PowerShell, once executed, will create and run another PowerShell file, that will reside only in memory and that, again, will run a WScript Shell. The Script will create again other three files:

1. A decoy DOC file, making the victim think that an actual doc file has been opened.
2. A legitimate tool to install .NET assembled files. This Will be used to bypass SmartSCreen and AppLocker protection, since the actual payload will be a parameter of this legitimate file.
3. A DLL file, created in .NET that contains the actual malicious payload.

It hides even more surprises to stay stealth. All technical details in the following report.



This malware uses some very interesting techniques that, if not new, are not common, and even less used altogether in a single attack.
  • The attack seems to be targeting a very targeted Vietnamize government.
  • Using a .LNK file keeps the attack away from sandboxes.
  • The obfuscation techniques applied are very wisely used to keep the malware under the radar.
  • The execution technique keeps the malware away from EDR, for example loading through a legitimate binary, working in memory for deobfucation and injecting, etc.
  • Although they use a known malware as command, the way it is injected in memory and loaded results in a very interesting technique.
  • This infrastructure is not used in any other known or common attack.
We are still working in the attribution, if possible.

CyberThreats lab in cooperation with Innovation and laboratory

No comments:

Post a Comment