{"id":20189,"date":"2025-04-29T10:00:12","date_gmt":"2025-04-29T03:00:12","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20189"},"modified":"2025-05-31T10:12:31","modified_gmt":"2025-05-31T03:12:31","slug":"cyber-attack-campaigns-targeting-vietnam-uncovered","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/cyber-attack-campaigns-targeting-vietnam-uncovered\/","title":{"rendered":"Cyber Attack Campaigns Targeting Vietnam Uncovered"},"content":{"rendered":"<p>During the process of gathering information on hacker attack campaigns in cyberspace, the\u00a0<strong>FPT Threat Intelligence<\/strong>\u00a0team recorded warnings about a new targeted cyberattack campaign, suspected to be linked to APT 41, aimed at Vietnam and government organizations in the region.<\/p>\n<h2 id=\"heading-details\" class=\"permalink-heading\"><strong>Details<\/strong><\/h2>\n<ul>\n<li>Since around July 2024, security researchers have observed a series of attacks using the AppDomainManager Injection technique to spread malware.<\/li>\n<li>History of AppDomainManager Injection: This concept was first introduced in 2017. Since then, many articles explaining the concept and examples (Proof of Concept &#8211; PoC) have been published. However, although known in the research community, this technique is rarely used in actual attacks, leading to it being not widely known in the general security community.<\/li>\n<\/ul>\n<p>AppDomainManager Injection is a sophisticated attack technique in the .NET Framework environment.\u00a0<strong>AppDomainManager<\/strong>\u00a0is a class in the .NET Framework that allows control over how AppDomains are created and managed, typically used to customize the behavior of AppDomains.<\/p>\n<p><strong>The injection mechanism of this technique exploits legitimate mechanisms of the .NET Framework:<\/strong><\/p>\n<ul>\n<li><strong>Version Redirect<\/strong>: Uses a configuration file (.config) to specify a specific assembly version. Attackers exploit this to load a malicious DLL.<\/li>\n<li><strong>AppDomainManager Overriding<\/strong>: Creates a class that inherits from AppDomainManager. Overrides the InitializeNewDomain method to inject malicious code.<\/li>\n<li><strong>Execution Flow<\/strong>: When a .NET application starts, it reads the configuration file. The configuration file specifies the malicious DLL. The malicious DLL is loaded and initialized, allowing malicious code execution.<\/li>\n<\/ul>\n<h2 id=\"heading-details-of-the-attack-flow\" class=\"permalink-heading\">Details of the attack flow<\/h2>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-1-1739412747.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20190\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-1-1739412747.jpg\" alt=\"Cyber Attack Campaigns Targeting Vietnam Uncovered FPT IS 1\" width=\"590\" height=\"888\" \/><\/a><\/p>\n<ul>\n<li><strong>Initial Attack Vector:<\/strong>\n<ul>\n<li><strong>There are two methods:<\/strong><\/li>\n<li>a) Download a ZIP file from a website prepared by the attacker.<\/li>\n<li>b) Receive the ZIP file through targeted phishing email (spear-phishing).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Open the ZIP File:<\/strong>\u00a0The ZIP file contains a malicious MSC file &#8211;\u00a0<em>MSC (Microsoft Common Console Document) is a file format related to Microsoft Management Console.<\/em>\n<ul>\n<li>Disguised MSC File: The icon of the MSC file is changed to look like a PDF or Microsoft Word file. This increases the likelihood of the user opening the file without suspicion.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Activate GrimResource:<\/strong>\u00a0GrimResource is a technique that allows malicious behavior to be triggered as soon as the user opens the MSC file. Previously, the attacker had to convince the user to click a link in the MSC file.<\/li>\n<li><strong>Execute JavaScript:<\/strong>\n<ul>\n<li>The malicious MSC file exploits apds.dll through GrimResource to execute embedded JavaScript code.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-2-1739412809.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20192\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-2-1739412809.jpg\" alt=\"Cyber Attack Campaigns Targeting Vietnam Uncovered Fpt Is 2 1739412809\" width=\"911\" height=\"150\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-2-1739412809.jpg 911w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-2-1739412809-700x115.jpg 700w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/><\/a><\/p>\n<ul>\n<li><strong>Download and execute:<\/strong>\u00a0JavaScript downloads 4 files, then it launches oncesvc.exe, a legitimate Microsoft executable (originally named dfsvc.exe).<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-3-1739412828.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20193\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-3-1739412828.jpg\" alt=\"Cyber Attack Campaigns Targeting Vietnam Uncovered Fpt Is 3 1739412828\" width=\"918\" height=\"736\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-3-1739412828.jpg 918w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-3-1739412828-700x561.jpg 700w\" sizes=\"(max-width: 918px) 100vw, 918px\" \/><\/a><\/p>\n<ul>\n<li><strong>AppDomainManager Injection:<\/strong>\u00a0A configuration file named oncesvc.exe.config is placed in the same folder as the executable file.<\/li>\n<\/ul>\n<p><span data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-4-1739412893.jpg\"><img decoding=\"async\" class=\"size-full wp-image-20194 alignnone\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-4-1739412893.jpg\" alt=\"Cyber Attack Campaigns Targeting Vietnam Uncovered Fpt Is 4 1739412893\" width=\"914\" height=\"266\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-4-1739412893.jpg 914w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-4-1739412893-700x204.jpg 700w\" sizes=\"(max-width: 914px) 100vw, 914px\" \/><\/a><\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The configuration file uses a &#8220;version redirect&#8221; technique to load a malicious DLL from an external source.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Malicious Code Execution:<\/strong>\u00a0The malicious DLL contains a class that inherits from AppDomainManager. When the InitializeNewDomain method is called, it triggers malicious behavior.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-5-1739412978.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20195\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-5-1739412978.jpg\" alt=\"Cyber Attack Campaigns Targeting Vietnam Uncovered Fpt Is 5 1739412978\" width=\"910\" height=\"317\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-5-1739412978.jpg 910w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Cyber-Attack-Campaigns-Targeting-Vietnam-Uncovered-FPT-IS-5-1739412978-700x244.jpg 700w\" sizes=\"(max-width: 910px) 100vw, 910px\" \/><\/a><\/p>\n<ul>\n<li><strong>Final Outcome:<\/strong>\n<ul>\n<li>The attacker gains access to the target system.<\/li>\n<li>In this attack campaign, the attacker uses a\u00a0<strong>CobaltStrike beacon<\/strong>\u00a0to maintain access and control over the system.<\/li>\n<li>The final conclusion is that the malware related to this campaign is\u00a0<strong>CobaltStrike<\/strong>, with technical indicators and infrastructure similar to the APT 41 group. The campaign has caused significant impacts on organizations in Taiwan (China) and military units in the Philippines.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 id=\"heading-iocs\" class=\"permalink-heading\">IOCs<\/h2>\n<p><strong><em>Domain:<\/em><\/strong><\/p>\n<ul>\n<li><code>krislab[.]site<\/code><\/li>\n<li><code>msn-microsoft[.]org<\/code><\/li>\n<li><code>s2cloud-amazon[.]com<\/code><\/li>\n<li><code>s3bucket-azure[.]online<\/code><\/li>\n<li><code>s3cloud-azure[.]com<\/code><\/li>\n<li><code>s3-microsoft[.]com<\/code><\/li>\n<li><code>trendmicrotech[.]com<\/code><\/li>\n<li><code>visualstudio-microsoft[.]com<\/code><\/li>\n<li><code>xtools[.]lol<\/code><\/li>\n<\/ul>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\">Recommendations<\/h2>\n<p><strong>FPT Threat Intelligence recommends the following actions:<\/strong><\/p>\n<ul>\n<li>Control access by applying the principle of least privilege to all user accounts. Limit write permissions to directories containing .NET applications. Use group policies to control the execution of files from untrusted locations.<\/li>\n<li>Use automated vulnerability scanning tools to check the entire system, focusing on vulnerabilities related to the .NET Framework and AppDomainManager.<\/li>\n<li>Review .NET configuration files, especially .config files. Look for suspicious or unusual configurations.<\/li>\n<li>Examine the system using the IOC list provided above and check system logs for signs of suspicious activity. Focus on events related to loading and executing unknown assemblies.<\/li>\n<\/ul>\n<h2 id=\"heading-references\" class=\"permalink-heading\">References<\/h2>\n<ol>\n<li>Hackers now use AppDomain Injection to drop CobaltStrike beacons<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-now-use-appdomain-injection-to-drop-cobaltstrike-beacons\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-now-use-appdomain-injection-to-drop-cobaltstrike-beacons\/<\/a><\/li>\n<li>Attacks by malware abusing AppDomainManager Injection&lt;<a href=\"https:\/\/jp.security.ntt\/tech_blog\/appdomainmanager-injection-en\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/jp.security.ntt\/tech_blog\/appdomainmanager-injection-en<\/a>&gt;<\/li>\n<\/ol>\n<table style=\"border-collapse: collapse; width: 100%; height: 96px;\">\n<tbody>\n<tr style=\"height: 96px;\">\n<td style=\"width: 100%; height: 96px;\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/p>\n<p><em>Nguyen Van Trung \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":20196,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20189","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/20196"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20189"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20189"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20189"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20189"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20189"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20189"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20189"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}