CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.
First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.
Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.
The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.
“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.
These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.
The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”
While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.
“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.
Related: China-linked Hackers Target Engineering and Maritime Industries
Related: Cyber Espionage Targets Interests in South China Sea