Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia | WeLiveSecurity

Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia

ESET researchers have uncovered a supply-chain attack on the website of a government in Southeast Asia.

ESET researchers have uncovered a supply-chain attack on the website of a government in Southeast Asia.

Just a few weeks after the supply-chain attack on the Able Desktop software, another similar attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.

ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.

Supply-chain attack in Vietnam

In Vietnam, digital signatures are very common, as digitally-signed documents have the same level of enforceability as “wet” signatures. According to Decree No. 130/2018, the cryptographic certificates used to sign documents must be granted by one of the authorized certificate providers that include the VGCA, which is part of the Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and Communication.

In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures.

As shown in Figure 1, it seems that these programs are deployed in the Party and State agencies.

Figure 1. Screenshot of ca.gov.vn

According to ESET telemetry, ca.gov.vn was compromised from at least the 23rd of July to the 16th of August 2020. Two of the installers available for download, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, were modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT Security. We were able to confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so we believe it is unlikely to be a man-in-the-middle attack. The URLs pointing to malicious installers were:

  • https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x64-8.3.msi
  • https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x32-8.3.msi

This is also confirmed by data from VirusTotal as shown in Figure 2.

Figure 2. Screenshot of VirusTotal. It shows the URL where the trojanized installer was downloaded from.

The trojanized installers are not properly signed, but we noticed that clean GCA installers are also incorrectly signed (The digital signature of the object did not verify). Both the official and trojanized MSIs use a certificate assigned to the Safenet company.

Figure 3 is a summary of the supply-chain attack. To be compromised, a user would have to manually download and execute the compromised software hosted on the official website.

Figure 3. Simplified scheme of the supply-chain attack.

Once downloaded and executed, the installer starts the genuine GCA program and the malicious file. The malicious file is written to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by the end-users.

This malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains the backdoor.

If the dropper runs as an admin, the backdoor is written to C:\Windows\apppatch\netapi32.dll and for the persistence, the dropper registers the malicious DLL as a service.

If run as a regular user, the backdoor is written to %TEMP%\Wmedia\<GetTickCount>.tmp and for the persistence, the dropper creates a scheduled task that calls the export Entery of the malicious DLL. It’s interesting to note that the Entery export was also seen in versions of TManger used by TA428, as detailed by NTT Security.

PhantomNet

The backdoor was named Smanager_ssl.DLL by its developers but we use PhantomNet, as that was the project name used in an older version of this backdoor. This most recent version was compiled on the 26th of April 2020, almost two months before the supply-chain attack. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately we did not uncover the delivery mechanism in those cases.

This backdoor is quite simple and most of the malicious capabilities are likely deployed through additional plugins. It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server. This shows that the targets are likely to be working in a corporate network.

PhantomNet uses the HTTPS protocol to communicate with its hardcoded C&C servers: vgca.homeunix[.]org and office365.blogdns[.]com. In order to prevent a man-in-the-middle attack, PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store.

In addition to the use of dynamic DNS providers, it is interesting to note that the name of the first subdomain, vgca, was chosen in order to mimic the name of the Vietnam Government Certification Authority.

The implant can be controlled by the attackers using these five commands:

Command IDDescription
0x00110020Get victim information (computer name, hostname, username, OS version, user privileges (admin or not), and the public IP address by querying ipinfo.io).
0x00110030Call the export DeletePluginObject of all installed plugins.
0x00110040Plugin management (install, remove, update). The plugins have the following exports (including the typo in the first one): GetPluginInfomation, GetRegisterCode, GetPluginObject, DeletePluginObject.
0x00110070Set a value of a given field in the main structure of the backdoor.
0x547CBA78Generate and set a password using the SSPI functions. The final purpose is unknown.

On VirusTotal, we found one plugin that matches the exports above. It is a debug build and is named SnowballS according to its PDB path and other debug paths:

  • E:\WorkCode\AD_Attacker\Server\EXE_DEBUG\SnowballS.pdb
  • e:\workcode\ad_attacker\server\plugins\plugins\snowballs\cdomainquery.cpp

An initial, cursory analysis suggests that this tool might be used for lateral movement, as it embeds Invoke-Mimikatz. It can also collect information about the victim machine and user accounts. This shows that PhantomNet can receive additional and complex plugins that are probably only deployed on machines of particular interest to the malware operators.

In the case of the attack in Vietnam, we were not able to recover data about post-compromise activity and thus we don’t have visibility into the end goal of the attackers.

Conclusion

With the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply-chain attack on SolarWinds Orion, we see that supply-chain attacks are a quite common compromise vector for cyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust.

Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult.

For any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found in our GitHub repository.

IoCs

Files

SHA-1ESET detection nameDescription
5C77A18880CF58DF9FBA102DD8267C3F369DF449Win32/TrojanDropper.Agent.SJQTrojanized installer (gca01-client-v2-x64-8.3.msi)
B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443AWin32/TrojanDropper.Agent.SJQTrojanized installer (gca01-client-v2-x32-8.3.msi)
9522F369AC109B03E6C16511D49D1C5B42E12A44Win32/TrojanDropper.Agent.SJQPhantomNet dropper
989334094EC5BA8E0E8F2238CDF34D5C57C283F2Win32/PhantomNet.BPhantomNet
5DFC07BB6034B4FDA217D96441FB86F5D43B6C62Win32/PhantomNet.APhantomNet plugin

C&C servers
office365.blogdns[.]com
vgca.homeunix[.]org

MITRE ATT&CK

Note: This table was built using version 8 of the MITRE ATT&CK framework.

TacticIDNameDescription
Initial AccessT1195.002Supply Chain Compromise: Compromise Software Supply ChainAttackers modified the installer of the GCA01 software that is hosted on ca.gov.vn and added a backdoor to the MSI installer.
ExecutionT1204.002User Execution: Malicious FileThe victim needs to manually execute the trojanized installer.
PersistenceT1053.005Scheduled Task/Job: Scheduled TaskIf the user doesn’t have admin privileges, PhantomNet persists via a scheduled task.
T1543.003Create or Modify System Process: Windows ServiceIf the user has admin privileges, PhantomNet persists via a Windows service.
DiscoveryT1033System Owner/User DiscoveryPhantomNet implements a function to retrieve the username.
T1082System Information DiscoveryPhantomNet implements a function to retrieve the OS version.
Command and ControlT1090.001Proxy: Internal ProxyPhantomNet can retrieve the proxy configuration of the default browser and use it to connect to the C&C server.
T1071.001Application Layer Protocol: Web ProtocolsPhantomNet uses HTTPS.
T1573.002Encrypted Channel: Asymmetric CryptographyPhantomNet can add a certificate to the Windows store and use it for certificate pinning for its HTTPS communications.

Newsletter

Discussion