Another software supply chain attack has hit the news, this one targeting Vietnamese private and government organizations. The unknown hacker group completed their attack by inserting malware into official government software. It appears the attack targeted the VGCA (Vietnam Government Certificate Authority) which issues digital certificates for anyone that wants to submit documents to the Vietnamese government. The attackers input malware into two of the VGCA client applications offered at the government’s site ca.gov.vn for document signing. According to ESET, the malware submitted to the software was a backdoor trojan called PhantomNet. The attack appeared to happen between July 5th and August 5th, 2020. ESET reached out to VGCA with their discoveries but the agency said they were already aware of the attack.
PhantomNet acts as a backdoor and a vector for more malware to be distributed. Some plugins that can be retrieved by the trojan include a proxy and a downloader. It appears the trojan is installed to the victim’s machine which the victim has to manually execute in order for the trojan to run. The dropper installs further components which are used to gather information on the victim and fed back to its CnC servers.
The attacker’s choice of VGCA might have been due to their status as the certificate authority of Vietnam, which people are likely to implicitly trust. At this time, it is believed PhantomNet was used for reconnaissance in preparation for a larger attack.
(These components are used to collect victim information and used for lateral movement)
VGCA’s software supply chain attack follows several complex attacks that have surfaced in the fourth quarter, including the supply chain attack on SolarWinds Orion and Lazarus. Our VerSprite Threat Intelligence and GRC teams are closely monitoring the trends and believe more attention should be taken to assess the software, hardware, and vendors your organization uses. As more news surfaces of successful attacks, cybercrinimals will learn from those successes and increase their attention to these types of attack methods.
VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or their managed monitoring tool, CTIP, contact one of our security advisers today. Contact VerSprite →