New APT27 Cyberespionage Campaign Unveiled

It’s just the fourth month of the year and we have already had a horde of cyber espionage campaigns. Now, another new one has been revealed by researchers.

What’s going on?

Kaspersky spotted a cyberespionage campaign targeted against government and military organizations in Vietnam via DLL side-loading. The campaign has been attributed to a threat actor related to Cycldek – a Chinese-speaking threat actor. Although this actor shares similarities with Cycldek, it is highly sophisticated as compared to the latter. It is hypothesized that the operators of Cycldek have joined another team.

Why does it matter?

The campaign lasted from June 2020 to January 2021, with the sole purpose of collecting political intelligence. However, the specific targets of the campaign were not disclosed. The tactic used to propagate the FoundCore trojan prevented the malicious code from analysis. Furthermore, single pieces cannot be recovered from the tightly coupled infection chain, implying that security teams don’t have a broader picture of the malicious activity.

Victimology

  • Among the dozens of affected organizations, 80% are located in Vietnam and are related to government, military, education, diplomacy, or healthcare.
  • Not just Vietnam, organizations in Thailand and Central Asia have also been impacted.
  • Government agencies in Vietnam have issued two advisories mentioning malicious documents leveraged by the threat actors.

The bottom line

Although the campaign has not been successfully attributed to Cycldek, it brings to light the increasing sophistication of threat actors. The various stages of obfuscation and complex reverse engineering are anticipated to be indicators of more such activities in the near future.

Related posts

Leave a Comment