A hacking campaign is targeting large Vietnamese organizations—and is connected to the same party that previously targeted Vietnam Airlines back in 2016.
According to Votiro, the offensives are possibly led by the Chinese 1937CN group.
The campaign was uncovered when two malicious documents exploiting CVE-2012-0158 were submitted to Virus Total in early August. After following the breadcrumbs, researchers uncovered more than a dozen malicious domains being used for C&C activities. Some of them, such as dcsvn[.]org (a spoof of the website of the Vietnam Communist Party), have been active since 2015.
It’s this same website that provides the link to 1937CN. In 2016, Vietnam’s flagship airline was the victim of a coordinated attack in which malware was installed on the administrator's machine for espionage and remote access. The airline’s website was defaced and its homepage replaced with a message from the 1937CN group, and data for more than 400,000 frequent flier enrollees to its Golden Lotus program was leaked online. At the same time, audio and screen systems at Tan Son Nhat and Noi Bai, the two biggest airports in Vietnam, were modified to spread political messages.
Previous research from Bkav Malware Research identified the same URL as providing C&C for the malware, which is capable of penetrating deep into networks and wreaking havoc. Bkav found that it disguises itself as antivirus software, and usually hides for quite some time without being detected while it sets about collecting account IDs and passwords. It also enables remote control of the victim machine, so attackers can perform various malicious actions such as deleting traces, changing audio files, displaying information on screen system, encrypting data and so on. Additionally, malware also has components specialized to manipulate SQL databases.
1937CN has a history of targeting Vietnam even before the airline campaign: It also hacked about 1000 Vietnamese websites in May of 2015, including 15 government portals and 50 education sites. At the same time, it set its sights on 200 websites in the Philippines.