Search This Blog

Showing posts with label Vietnam. Show all posts

Experts Discover New macOS Backdoor, Link Attack Campaign to Vietnamese Hackers

 

Cybersecurity experts at Trend Micro found a macOS backdoor, which the experts believe is used by Vietnamese criminal actors named "oceanlotus." Famous as APT32 or "APT-C-00," the backdoor is highly resourced and resolute. Experts say that Ocenlotus targets government agencies and corporate organizations located explicitly in Southeast Asia. At the beginning of 2020, the criminal group launched Covid-19 espionage attack campaigns targeting China. 

After analyzing different C&C domains used by the sample, Trend Micro suggests that organizations not download any suspicious link or open any unknown attachment, keep systems updated, and ensure employee cybersecurity to stay safe. Compared to Oceanlotus' earlier malware variants, the current sample presents correlations in coding and dynamic behavior. The similarity in behavior hints at the sample's link to the criminal group. A file incorporated in the attack campaign shows a Vietnamese name. According to this information, experts believe that the new malware targeted Vietnamese users. 

The new sample pretends to work as a word document, but it is an app packed into a Zip archive in reality. The app uses special characters to avoid detection. According to TrendMicro, the operating system views the app bundle as an unsupported directory. It means that it uses the "open" command is used to administer the file. The cybersecurity experts found two files in the app bundle. A word file that is shown during the execution process and shell script which does malicious tasks routinely. 

According to security week, "the shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system. The second stage payload is responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself. Featuring encrypted strings, the third-stage payload contains two main functions: collecting and sending operating system information to the command and control (C&C) servers, receiving additional communication information, and performing backdoor activities."

BMW and Hyundai Networks Compromised by Vietnamese Hackers


Hackers allegedly having links to the Vietnamese government have hacked the networks of two leading automobile manufacturers, BMW and Hyundai, according to the recent reports from the German media.

At the same time, eliminating the novelty from the incident, the reports by Bayerische Rundfunk (BR) and Taggesschau (TS) are making claims that around spring this year, the networks of a BMW branch were breached by attackers.

Reports suggest, hackers installed 'Cobalt Strike', a penetration testing toolkit onto the targeted networks; it was employed as a backdoor through which the compromised networks were intruded by attackers.

Supposedly, BMW was acquainted with the attacker's operations and let them continue to penetrate further into their networks. However, the company brought it to an end by putting a restriction onto the illegal access in the last week of November.

According to the findings, the attackers who compromised BMW's networks also no infected South Korean multinational automotive manufacturer, Hyundai. However, no additional information has been provided regarding the Hyundai breach.

The group behind these attacks, Ocean Lotus (APT32) has been in the cybercrime ecosystem since 2014 and is popular for targeting the automobile sector.

Referencing from the reports, "The attack of the alleged Vietnamese hacker group began in the spring of 2019. Last weekend, the automobile company from Munich finally took the computers concerned off the grid. Previously, the group's IT security experts had been monitoring the hackers for months. This is the result of research by the Bayerischer Rundfunk. Also on the South Korean car manufacturer Hyundai, the hackers had it apart."

"The Federal Office for the Protection of the Constitution also follows the hackers of OceanLotus. "The grouping of OceanLotus has already become important, and one should keep an eye on the development, especially because of the target range automotive industry," said a spokeswoman. In the summer, the German Association of the Automotive Industry (VDA) sent an e-mail to its members. The subject was: "Warning message from the Federal Office for the Protection of the Constitution about poscyberattacksttacks (OceanLotus) on German automobile companies." In the e-mail, the BR research, the hacker's procedure is described in detail." The report reads.