Sunday, June 15, 2025
HomeCyber AttackSupply-chain Attack Targeting Certification Authority in Southeast Asia

Supply-chain Attack Targeting Certification Authority in Southeast Asia

Published on

SIEM as a Service

Follow Us on Google News

ESET Researchers revealed a supply-chain attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. This is similar to the supply-chain attack on the Able Desktop software just a few weeks ago.

The attackers modified two of the software installers available for download on the website and added a backdoor to compromise users of the legitimate application.

The supply-chain attack in Vietnam

In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures.

- Advertisement - Google News

According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.

The VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents.

Two of the installers available for download, gca01-client-v2-x32-8.3.msi, and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security.

Researchers confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so it is unlikely to be a man-in-the-middle attack.

Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe.

Simplified scheme of the supply-chain attack

This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains the backdoor.

If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for persistence, the dropper registers the malicious DLL as a service.

For the common user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entry of the malicious DLL.

PhantomNet

The PhantomNet backdoor is quite simple and can collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. 

It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server.

PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.

Conclusion

In this particular case, the attackers compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.

“Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult”, says the ESET researchers. The Vietnam Government Certification Authority confirmed that they were conscious of the attack before the notification and they notified the users who downloaded the trojanized software.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...