Chinese Cycldek APT targets Vietnamese Military and Government in sophisticated attacks

China-linked APT group Cycldek is behind an advanced cyberespionage campaign targeting entities in the government and military sector in Vietnam.

China-linked APT group LuckyMouse (aka Cycldek, Goblin Panda, Hellsing, APT 27, and Conimes) is targeting government and military organizations in Vietnam with spear-phishing.

The threat actors are sending out spear-phishing messages to compromise diplomatic targets in Southeast Asia, India, and the U.S. at least since 2013.

The Cycldek group was first spotted in September 2013, in past campaigns it mainly targeted entities in Southeast Asia using different malware variants, such as PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

In 2018, the cyberespionage group targeted once again Vietnam running a spear-phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

The group’s arsenal includes multiple tools for information stealing and lateral movements, some of them are previously unreported.

Since 2017, the group was observed launching attacks using RTF lure documents with political content related to Vietnam. the messages were dropping a variant of a malicious program named NewCore RAT.

The recent campaign was observed between June 2020 and January 2021, threat actors used DLL side-loading to execute shellcode that decrypts a final payload tracked as “FoundCore.”

Researchers also reported that in recent attacks threat actors also downloaded two additional malware dubbed DropPhone and CoreLoader respectively. The former collects environment information from the victim machine and sends it to DropBox, the latter runs code to evade detection by security products.

“Chinese-speaking threat actors often share their techniques and methodologies with each other, which makes it easier for Kaspersky researchers to hunt for advanced persistent threat (APT) activity related to such well-known cyberespionage groups as LuckyMouse, HoneyMyte, and Cycldek. That’s why, when they saw one of their most well-known tactics—“the DLL side-loading triad”—targeting government and military entities in Vietnam, they immediately took notice.” states the post published by Kaspersky experts.

“In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload: a remote access Trojan Kaspersky named FoundCore that gives the attackers full control over the infected device.”

In DLL side-loading attacks, threat actors trick victims into downloading malicious DLLs that are injected into legitimate executables. In the

In the recent campaign associated with Cycldek, Kaspersky observed that attackers targeted a legitimate component from Microsoft Outlook (FINDER.exe) by loading the malicious library outlib.dll that is used to hijacks the intended execution flow of the program to decode and run a shellcode placed in the rdmin.src binary file.

Experts noticed that the threat actors spent a significant effort to prevent the malicious code from being analyzed. The malware authors have completely stripped the headers (the destination and source for the code) for the final payload, they only left some headers containing incoherent values with the intent to make hard reverse engineering of the malware.

These improvements led Kaspersky into believing that the level of sophistication of the threat actors is increasing.

FoundCore allows attackers to take full control over the infected systems, is support multiple commands for file system manipulation, process manipulation, capturing screenshots, and arbitrary command execution.

“The final payload is a remote administration tool that provides full control over the victim machine to its operators.” reads the technical analysis of the malware. “Communications with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS. Commands supported by FoundCore include filesystem manipulation, process manipulation, screenshot captures and arbitrary command execution.”

Kaspersky states that 80% of the affected organizations are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education, or political verticals. Experts also discovered some occasional victims in Central Asia and Thailand.

“No matter which group orchestrated this campaign, it constitutes a significant step up in terms of sophistication,” concludes the report. “The toolchain presented here was willfully split into a series of interdependent components that function together as a whole. Single pieces are difficult – sometimes impossible – to analyze in isolation, because they rely on code or data provided at other stages of the infection chain. We regretfully admit that this strategy was partly successful in preventing us from obtaining a complete picture of this campaign.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cycldek)

[adrotate banner=”5″]

[adrotate banner=”13″]