ESET researchers have uncovered a supply-chain assault on the web site of a authorities in Southeast Asia.
Just some weeks after the supply-chain attack on the Able Desktop software, one other comparable assault occurred on the web site of the Vietnam Authorities Certification Authority (VGCA): ca.gov.vn. The attackers modified two of the software program installers accessible for obtain on this web site and added a backdoor in an effort to compromise customers of the official software.
ESET researchers uncovered this new supply-chain assault in early December 2020 and notified the compromised group and the VNCERT. We imagine that the web site has not been delivering compromised software program installers as of the tip of August 2020 and ESET telemetry information doesn’t point out the compromised installers being distributed wherever else. The Vietnam Authorities Certification Authority confirmed that they have been conscious of the assault earlier than our notification and that they notified the customers who downloaded the trojanized software program.
Provide-chain assault in Vietnam
In Vietnam, digital signatures are quite common, as digitally-signed paperwork have the identical stage of enforceability as “moist” signatures. In line with Decree No. 130/2018, the cryptographic certificates used to signal paperwork should be granted by one of many approved certificates suppliers that embody the VGCA, which is a part of the Authorities Cipher Committee. That committee, in flip, relies on the Ministry of Info and Communication.
Along with issuing certificates, the VGCA develops and distributes a digital signature toolkit. It’s utilized by the Vietnamese authorities, and possibly by personal firms, to signal digital paperwork. The compromise of a certification authority web site is an effective alternative for APT teams, since guests are prone to have a excessive stage of belief in a state group liable for digital signatures.
As proven in Determine 1, evidently these applications are deployed within the Celebration and State companies.

Determine 1. Screenshot of ca.gov.vn
In line with ESET telemetry, ca.gov.vn was compromised from no less than the 23rd of July to the 16th of August 2020. Two of the installers accessible for obtain, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, have been modified to incorporate a bit of malware referred to as PhantomNet or SManager and not too long ago analyzed by NTT Security. We have been in a position to verify that these installers have been downloaded from ca.gov.vn over the HTTPS protocol, so we imagine it’s unlikely to be a man-in-the-middle assault. The URLs pointing to malicious installers have been:
- https://ca.gov[.]vn/paperwork/20182/6768590/gca01-client-v2-x64-8.3.msi
- https://ca.gov[.]vn/paperwork/20182/6768590/gca01-client-v2-x32-8.3.msi
That is additionally confirmed by information from VirusTotal as proven in Determine 2.

Determine 2. Screenshot of VirusTotal. It reveals the URL the place the trojanized installer was downloaded from.
The trojanized installers usually are not correctly signed, however we seen that clear GCA installers are additionally incorrectly signed (The digital signature of the article didn’t confirm). Each the official and trojanized MSIs use a certificates assigned to the Safenet firm.
Determine 3 is a abstract of the supply-chain assault. To be compromised, a person must manually obtain and execute the compromised software program hosted on the official web site.

Determine 3. Simplified scheme of the supply-chain assault.
As soon as downloaded and executed, the installer begins the real GCA program and the malicious file. The malicious file is written to C:Program FilesVGCAAuthenticationSACx32eToken.exe. By additionally putting in the official program, the attackers guarantee that this compromise received’t be simply seen by the end-users.
This malicious file is an easy dropper that extracts a Home windows cupboard file (.cab) named 7z.cab and that incorporates the backdoor.
If the dropper runs as an admin, the backdoor is written to C:Windowsapppatchnetapi32.dll and for the persistence, the dropper registers the malicious DLL as a service.
If run as an everyday person, the backdoor is written to %TEMPpercentWmedia
PhantomNet
The backdoor was named Smanager_ssl.DLL by its builders however we use PhantomNet, as that was the challenge title utilized in an older model of this backdoor. This most up-to-date model was compiled on the 26th of April 2020, nearly two months earlier than the supply-chain assault. Along with Vietnam, we’ve got seen victims within the Philippines, however sadly we didn’t uncover the supply mechanism in these instances.
This backdoor is sort of easy and many of the malicious capabilities are possible deployed via extra plugins. It could retrieve the sufferer’s proxy configuration and use it to achieve out to the command and management (C&C) server. This reveals that the targets are prone to be working in a company community.
PhantomNet makes use of the HTTPS protocol to speak with its hardcoded C&C servers: vgca.homeunix[.]org and office365.blogdns[.]com. To be able to stop a man-in-the-middle assault, PhantomNet implements certificates pinning, utilizing capabilities from the SSPI library. The certificates is downloaded in the course of the first reference to the C&C server after which saved within the Windows certificate store.
Along with the usage of dynamic DNS suppliers, it’s attention-grabbing to notice that the title of the primary subdomain, vgca, was chosen in an effort to mimic the title of the Vietnam Authorities Certification Authority.
The implant may be managed by the attackers utilizing these 5 instructions:
Command ID | Description |
---|---|
0x00110020 | Get sufferer info (laptop title, hostname, username, OS model, person privileges (admin or not), and the general public IP handle by querying ipinfo.io). |
0x00110030 | Name the export DeletePluginObject of all put in plugins. |
0x00110040 | Plugin administration (set up, take away, replace). The plugins have the next exports (together with the typo within the first one): GetPluginInfomation, GetRegisterCode, GetPluginObject, DeletePluginObject. |
0x00110070 | Set a price of a given subject in the principle construction of the backdoor. |
0x547CBA78 | Generate and set a password utilizing the SSPI capabilities. The ultimate objective is unknown. |
On VirusTotal, we discovered one plugin that matches the exports above. It’s a debug construct and is known as SnowballS based on its PDB path and different debug paths:
- E:WorkCodeAD_AttackerServerEXE_DEBUGSnowballS.pdb
- e:workcodead_attackerserverpluginspluginssnowballscdomainquery.cpp
An preliminary, cursory evaluation means that this software may be used for lateral motion, because it embeds Invoke-Mimikatz. It could additionally accumulate details about the sufferer machine and person accounts. This reveals that PhantomNet can obtain extra and complicated plugins which are in all probability solely deployed on machines of explicit curiosity to the malware operators.
Within the case of the assault in Vietnam, we weren’t in a position to get better information about post-compromise exercise and thus we don’t have visibility into the tip aim of the attackers.
Conclusion
With the compromise of Able Desktop, the assault on WIZVERA VeraPort by Lazarus and the latest supply-chain assault on SolarWinds Orion, we see that supply-chain assaults are a fairly frequent compromise vector for cyberespionage teams. On this particular case, they compromised the web site of a Vietnamese certificates authority, wherein customers are prone to have a excessive stage of belief.
Provide-chain assaults are sometimes arduous to seek out, because the malicious code is mostly hidden amongst quite a lot of official code, making its discovery considerably harder.
For any inquiries, contact us as [email protected] Indicators of Compromise can be present in our GitHub repository.
Information
SHA-1 | ESET detection title | Description |
---|---|---|
5C77A18880CF58DF9FBA102DD8267C3F369DF449 | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x64-8.3.msi) |
B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x32-8.3.msi) |
9522F369AC109B03E6C16511D49D1C5B42E12A44 | Win32/TrojanDropper.Agent.SJQ | PhantomNet dropper |
989334094EC5BA8E0E8F2238CDF34D5C57C283F2 | Win32/PhantomNet.B | PhantomNet |
5DFC07BB6034B4FDA217D96441FB86F5D43B6C62 | Win32/PhantomNet.A | PhantomNet plugin |
C&C servers
office365.blogdns[.]com
vgca.homeunix[.]org
MITRE ATT&CK
Be aware: This desk was constructed utilizing version 8 of the MITRE ATT&CK framework.
Tactic | ID | Title | Description |
---|---|---|---|
Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | Attackers modified the installer of the GCA01 software program that’s hosted on ca.gov.vn and added a backdoor to the MSI installer. |
Execution | T1204.002 | Consumer Execution: Malicious File | The sufferer must manually execute the trojanized installer. |
Persistence | T1053.005 | Scheduled Job/Job: Scheduled Job | If the person doesn’t have admin privileges, PhantomNet persists by way of a scheduled activity. |
T1543.003 | Create or Modify System Course of: Home windows Service | If the person has admin privileges, PhantomNet persists by way of a Home windows service. | |
Discovery | T1033 | System Proprietor/Consumer Discovery | PhantomNet implements a operate to retrieve the username. |
T1082 | System Info Discovery | PhantomNet implements a operate to retrieve the OS model. | |
Command and Management | T1090.001 | Proxy: Inside Proxy | PhantomNet can retrieve the proxy configuration of the default browser and use it to connect with the C&C server. |
T1071.001 | Software Layer Protocol: Internet Protocols | PhantomNet makes use of HTTPS. | |
T1573.002 | Encrypted Channel: Uneven Cryptography | PhantomNet can add a certificates to the Home windows retailer and use it for certificates pinning for its HTTPS communications. |