CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.
First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.
Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.
The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.
“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.
These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.
The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”
While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.
“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.
Related: China-linked Hackers Target Engineering and Maritime Industries
Related: Cyber Espionage Targets Interests in South China Sea
More from Ionut Arghire
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
- New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
- CISA Seeks Public Opinion on Cloud Application Security Guidance
Latest News
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
