ESET Researchers revealed a supply-chain attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. This is similar to the supply-chain attack on the Able Desktop software just a few weeks ago.
The attackers modified two of the software installers available for download on the website and added a backdoor to compromise users of the legitimate application.
The supply-chain attack in Vietnam
In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures.
According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.
The VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents.
Two of the installers available for download, gca01-client-v2-x32-8.3.msi, and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security.
Researchers confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so it is unlikely to be a man-in-the-middle attack.
Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe.
This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains the backdoor.
If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for persistence, the dropper registers the malicious DLL as a service.
For the common user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entry of the malicious DLL.
The PhantomNet backdoor is quite simple and can collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins.
It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server.
PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.
In this particular case, the attackers compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.
“Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult”, says the ESET researchers. The Vietnam Government Certification Authority confirmed that they were conscious of the attack before the notification and they notified the users who downloaded the trojanized software.