Sunday, October 6, 2024
HomeCyber AttackSupply-chain Attack Targeting Certification Authority in Southeast Asia

Supply-chain Attack Targeting Certification Authority in Southeast Asia

Published on

ESET Researchers revealed a supply-chain attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. This is similar to the supply-chain attack on the Able Desktop software just a few weeks ago.

The attackers modified two of the software installers available for download on the website and added a backdoor to compromise users of the legitimate application.

The supply-chain attack in Vietnam

In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures.

- Advertisement - EHA

According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.

The VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents.

Two of the installers available for download, gca01-client-v2-x32-8.3.msi, and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security.

Researchers confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so it is unlikely to be a man-in-the-middle attack.

Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe.

Simplified scheme of the supply-chain attack

This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains the backdoor.

If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for persistence, the dropper registers the malicious DLL as a service.

For the common user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entry of the malicious DLL.

PhantomNet

The PhantomNet backdoor is quite simple and can collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. 

It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server.

PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.

Conclusion

In this particular case, the attackers compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.

“Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult”, says the ESET researchers. The Vietnam Government Certification Authority confirmed that they were conscious of the attack before the notification and they notified the users who downloaded the trojanized software.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...