Chinese APT group spying on Vietnam military with FoundCore RAT

According to Kaspersky researchers, Cycldek, a Chinese APT group is targeting Vietnam’s military establishment with FoundCore RAT.

According to Kaspersky researchers, Cycldek, a Chinese APT group is targeting Vietnam’s government and military organizations in a new cyberespionage campaign.

According to a report by Kaspersky researchers, a Chinese-speaking threat group called Cycldek, also known as Lucky Mouse, APT 27, Goblin Panda, and Conimes is spying on the Vietnamese government and military organizations.

It is an APT (advanced persistent threat) group. As per their analysis, this group has been active since 2013.

Further probe revealed that dozens of computers had been targeted in this campaign so far, and almost 80% are located in Vietnam while the remaining 20% are located in Thailand and Central Asia.

SEE: China’s insidious surveillance against Uyghurs with Android malware

Kaspersky researchers claim that other targeted sectors included education, healthcare, and diplomacy apart from government and military. The campaign seems like a local threat, but the attack chain may be extended to other regions in the near future, researchers assessed.

Hackers Delivering FoundCore RAT

The primary motive behind this campaign is to spy on the Vietnamese government and military entities. In this advanced cyber-espionage campaign, threat actors use a remote-access tool to carry out their malicious spying operations.

Reportedly, Cycldek has used several new tactics representing a significant “advancement in terms of sophistication,” as they are using FoundCore malware. This marks a huge step forward in their espionage tools. FoundCore lets attackers carry out filesystem manipulation, capture screenshots, process manipulation, and execute arbitrary commands.

Campaign Relying on DLL Side-Loading Triad

In this newly discovered campaign, researchers have noted that the threat actors are using a well-known attack tactic called the DLL side-loading triad. The Dynamic-Link Libraries, DLL, refer to coding pieces that are meant to be used by different computer programs.

In this campaign, the infection chain executes a shellcode for decrypting FoundCore, and attackers gain complete control of the infected device. What the researchers found most interesting is the method Cycldek used to protect the malicious code from detection.

In their report, researchers explained the process that it is a method that “the headers (the destination and source for the code) for the final payload were completely stripped away, and the few that remained contained incoherent values.

In doing this, the attackers make it significantly more difficult for researchers to reverse engineer the malware for analysis.”

This malware sample was discovered in the context of an attack against a high-profile organization located in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow, researchers explained.

Infection chain of FoundCore RAT. (Source: Kaspersky)

SEE: Personal data of millions of Americans exposed from PC in China

Moreover, in this case, the infection chain components are tightly combined, so single pieces are almost impossible to be evaluated in isolation. This prevents analysis from fully understanding the level of malicious activity.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts