China-linked cyber-espionage group Cycldek is showing increasing sophistication in a series of recent attacks targeting government and military entities in Vietnam, according to a report from anti-malware vendor Kaspersky.
Active since at least 2013 and also referred to as Goblin Panda and Conimes, Cycldek is known for the active targeting of governments in Southeast Asia, and their preference for targets in Vietnam.
In June last year, the group was revealed to have used a piece of custom malware to exfiltrate data from air-gapped systems, a clear sign of evolution for a group considered less sophisticated. The more recent attacks, Kaspersky says, show further increase in sophistication.
Running between June 2020 and January 2021, the campaign relied on an infection chain that used DLL side-loading to deliver malicious code that would eventually deploy a remote access Trojan (RAT) to provide the attackers with full control over compromised machines.
As part of an attack against a high-profile Vietnamese organization, a legitimate component from Microsoft Outlook was being abused to load a DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.
Once deployed, the malware would start four processes: one to establish persistence as a service, the second to hide the first process, the third to prevent access to the malicious file, and the fourth to establish connection to the command and control (C&C) server.
FoundCore provides the threat actor with full control over the victim machine. The malware includes support for a variety of commands, allowing for file system manipulation, process manipulation, execution of arbitrary commands, and screenshot grabbing. Other malware delivered as part of the attacks are DropPhone and CoreLoader.
“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky notes.