If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for the persistence, the dropper registers the malicious DLL as a service. cab) named 7z.cab and that contains the backdoor. This malicious file is a simple dropper that extracts a Windows cabinet file (.
By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by the end-users. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe. Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. Simplified scheme of the supply-chain attack. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures.Īs shown in Figure 1, it seems that these programs are deployed in the Party and State agencies.įigure 3. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. That committee, in turn, depends on the Ministry of Information and Communication. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures.
The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.ĮSET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. Just a few weeks after the supply-chain attack on the Able Desktop software, another similar attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. ESET researchers have uncovered a supply-chain attack on the website of a government in Southeast Asia.
0 kommentar(er)
