Friday, June 14, 2024

Supply-chain Attack Targeting Certification Authority in Southeast Asia

ESET Researchers revealed a supply-chain attack occurred on the website of the Vietnam Government Certification Authority (VGCA): This is similar to the supply-chain attack on the Able Desktop software just a few weeks ago.

The attackers modified two of the software installers available for download on the website and added a backdoor to compromise users of the legitimate application.

The supply-chain attack in Vietnam

In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures.

According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.

The VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents.

Two of the installers available for download, gca01-client-v2-x32-8.3.msi, and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security.

Researchers confirm that those installers were downloaded from over the HTTPS protocol, so it is unlikely to be a man-in-the-middle attack.

Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe.

Simplified scheme of the supply-chain attack

This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named and that contains the backdoor.

If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for persistence, the dropper registers the malicious DLL as a service.

For the common user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entry of the malicious DLL.


The PhantomNet backdoor is quite simple and can collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. 

It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server.

PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.


In this particular case, the attackers compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.

“Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult”, says the ESET researchers. The Vietnam Government Certification Authority confirmed that they were conscious of the attack before the notification and they notified the users who downloaded the trojanized software.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles