Operation SignSight: Software Supply Chain Attack Hits Vietnamese Government

Vietnam Government Hit By A Complex Software Supply Chain Attack, Operation SignSight

Another software supply chain attack has hit the news, this one targeting Vietnamese private and government organizations. The unknown hacker group completed their attack by inserting malware into official government software. It appears the attack targeted the VGCA (Vietnam Government Certificate Authority) which issues digital certificates for anyone that wants to submit documents to the Vietnamese government. The attackers input malware into two of the VGCA client applications offered at the government’s site ca.gov.vn for document signing. According to ESET, the malware submitted to the software was a backdoor trojan called PhantomNet. The attack appeared to happen between July 5th and August 5th, 2020. ESET reached out to VGCA with their discoveries but the agency said they were already aware of the attack.

How Does PhantomNet Backdoor Work?

PhantomNet acts as a backdoor and a vector for more malware to be distributed. Some plugins that can be retrieved by the trojan include a proxy and a downloader. It appears the trojan is installed to the victim’s machine which the victim has to manually execute in order for the trojan to run. The dropper installs further components which are used to gather information on the victim and fed back to its CnC servers.

The attacker’s choice of VGCA might have been due to their status as the certificate authority of Vietnam, which people are likely to implicitly trust. At this time, it is believed PhantomNet was used for reconnaissance in preparation for a larger attack.

Indicators of VGCA’s Compromise:

Compromised Installers:

• [https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x64-8.3%5b.%5dmsi]
• [https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x32-8.3%5b.%5dmsi]

Compromised Website:

• ca[.]gov[.]vn

Dropper:

• etoken.exe 7z.cab

Backdoor:

• netapi32.dll smanager_ssl.dll

Additional Components Downloaded:

(These components are used to collect victim information and used for lateral movement)

• Snowballs.pdb cdomainquery.cpp

Command and Control Servers:

• vgca[.]homeunix[.]org office365[.]blogdns[.]com

Port Used for Communication:

• 5355

File Hashes:

• 1d9bc6939e2eceb3e912f158e05e04cadc1965849c4eb2c96e37e51a7d4f7aa5
• 5c77a18880cf58df9fba102dd8267c3f369df449 5dfc07bb6034b4fda217d96441fb86f5d43b6c62
• 6c1db6c3d32c921858a4272e8cc7d78280b46bad20a1de23833cbe2956eebf75
• 830dd354a31ef40856978616f35bd6b7 9522f369ac109b03e6c16511d49d1c5b42e12a44
• 97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c
• 989334094ec5ba8e0e8f2238cdf34d5c57c283f2 b0e4e9bb6ef8aa7a9fcb9c9e571d8162b1b2443a
• c11e25278417f985cc968c1e361a0fb0

Businesses and Governments Should Prepare for Software Supply Chain Attacks

VGCA’s software supply chain attack follows several complex attacks that have surfaced in the fourth quarter, including the supply chain attack on SolarWinds Orion and Lazarus. Our VerSprite Threat Intelligence and GRC teams are closely monitoring the trends and believe more attention should be taken to assess the software, hardware, and vendors your organization uses. As more news surfaces of successful attacks, cybercrinimals will learn from those successes and increase their attention to these types of attack methods.

VerSprite’s Cybersecurity Threat Intelligence

VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or their managed monitoring tool, CTIP, contact one of our security advisers today. Contact VerSprite →