ESET researchers recently came across a targeted attack against the Vietnamese government’s Ministry of Natural Resources and Environment (MONRE). In this report, we will look at how the attackers targeted Vietnamese government employees, the behavior of the malware on MONRE’s systems, and how the attackers attempted to exfiltrate data.
The Vietnamese Ministry of Natural Resources and Environment has been under targeted attacks according to a recent article by ThreatConnect. Although the attack we discuss in this article may not be related to the threat campaign detailed in ThreatConnect’s research, it does show the interest attackers have in this Vietnamese government agency.
Vietnamese government employees at MONRE received email with a Microsoft Word document attachment. MONRE uses webmail as a means of providing email access to its staff, so employees would have to download the Word document—as opposed to just previewing it in their web browser—in order for it to infect their computers.
When opened in Microsoft Word, the document exploits a vulnerability to drop one executable file, named “payload.exe“, onto the computer. This Trojan dropper file contains three additional executables in it, which we will describe below in further detail.
When run, the malware will check to see whether Bach Khoa Anti-Virus (BKAV) is present. This is done to circumvent BKAV’s protections. If found, the payload.exe Trojan dropper unloads BKAV’s “BkavFirewallEngine.dll” from memory using the FreeLibrary Function as shown in the code below:
The three files dropped are named Framework.dll, StartExe.exe and W7e1.tmp and are saved into the %temp% directory. All these files are now detected by ESET as Win32/Agent.VXU. Also of interest is that the timestamps in the PE file headers are probably relatively recent, dated April 24, 2014. While this data could be falsified, we do not believe this to be the case.
It was observed that the main dropper file, payload.exe, does not successfully execute its dropped files on Windows XP or earlier versions of Windows. This appeared to be a bug in its code, where it tries to execute them using startexe.dll instead of startexe.exe.
SHELLEXECUTEINFO.lpVerb = “open”
SHELLEXECUTEINFO.lpFile = “%temp%\startexe.dll” ← bug
SHELLEXECUTEINFO.lpParameters = “-a a”
However, under Windows Vista and newer versions of Windows, the dropped files are successfully executed via code injection into explorer.exe.
Framework.dll, which runs as a service named “Framework”, connects to 126.96.36.199:443 (USA) or www.google.zzux.com:443, a server located in South Korea. It was observed that a connection to the zzux.com domain was tried only if the IP address for the host is different from the IP address 188.8.131.52.
At this point, we are unable to share any further intelligence about the perpetrators behind this campaign. While a Vietnamese environmental administration may not seem at first glance to be a high-value target, it is worth noting that any government’s environmental agency is going to have a great deal of confidential information of national economic and strategic concern. Interest in the South China Sea is at an all-time high now, and data such as maps, surveys, studies and reports are likely to be of interest both to regional superpowers and to corporations operating in the area.
This threat, like many others, is a good reminder that where there is valuable information; there are cybercriminals who will want to steal it.
When faced with targeted attacks exploiting vulnerabilities, it is critical to ensure that security patches to a system are up-to-date and applied in a timely manner. That includes operating systems, applications, and browser plug-ins. No less important is security awareness education. Some simple but effective practices to teach include:
1. Never open unsolicited attachments or click on links in email, even when they appear to come from those you know and trust.
2. If you feel you *must* open or click, first consider the following questions:
3. Encourage employees to report to the appropriate IT staff any suspicious computer activity, connection requests, email, or behavior.
Kudos to Miroslav Babis for analysis of this threat.
Author Oh Sieng Chye, ESET