April 30, 2020
Anomali Threat Research

Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

<p><em>Authored by: Sara Moore, Joakim Kennedy, Parthiban R, and Rory Gould</em></p><p>The Anomali Threat Research Team detected a spear phishing email targeting government employees in the Municipality of Da Nang, Vietnam. The email contained a malicious Microsoft Excel document which drops a malicious Dynamic-Link Library (DLL) providing the actor with CMD reverse shell over HTTP. The DLL shares code similarities to exile-RAT, a tool associated with Pirate Panda. Pirate Panda is an APT backed by China and known for targeting government and political organisations.</p><p>Pirate Panda has reportedly focused primarily on issues surrounding territorial conflicts in the South China Sea <sup>[1]</sup>. As Da Nang lies on the Coast of Vietnam, opposite the Paracel Islands (an area of territorial dispute), this may provide some understanding of why Pirate Panda would consider targeting this municipality. <sup>[2]</sup></p><p>The phishing email and lure document observed suggest that the employees targeted likely work within a government-run data center. Such attacks are consistent with other regional APT campaigns <sup>[3]</sup>. If Pirate Panda were to compromise a government-run data center, it would have access to vast amounts of sensitive information.</p><h2>Targeted Phishing</h2><p>In the screenshot below, the phishing email shown was sent by a government employee to another government employee. The intended victim had a “danang.gov.vn” appended to the email address, as seen in the email headers.</p><p style="text-align: center;"><em><img alt="Phishing email" src="https://cdn.filestackcontent.com/q3VdGyw9QzyVPTY1qBkk"/><br/> Figure 1, Phishing email</em></p><p>The subject header is “Cập nhật lịch trực lễ 30/4 và ⅕,” which Google translates as “Updated live schedule 30_4 and 1_5.eml.” The live schedule appeared to be for the dates of April 30 and May 1, which may indicate that the lure theme was related to events on those days. As both 30 April and 1 May are Vietnamese national holidays, it is plausible the theme related to those events, although we cannot confirm that hypothesis based on available data.</p><ul><li>30 April is “Reunification Day,” marking the unification between North and South Vietnam in 1975</li><li>May is Vietnam’s national “Labour Day” holiday, which has political associations with communism and the working class</li></ul><p style="text-align: center;"><em><img alt="Email header for phishing sample" src="https://cdn.filestackcontent.com/4jWxM6KTlibjs192jcTF"/><br/> Figure 2, Email header for phishing sample</em></p><p>We assess that the phishing email likely came from a genuine internal mailbox, as Microsoft Exchange categorised it as “Internal” and the IP address in the email header was from an internal private network. If the originating email account was associated with a real employee, that employee was likely compromised previously, or they are conducting internal pentesting.</p><p>An open-source search of both email addresses only located information about the victim email address in an online spreadsheet titled “Công viên phần mềm Đà Nẵng,” which Google translates to “Da Nang Software Park.” We were unable to determine what if any link exists between the government employees listed and the park. The spreadsheet contained email addresses, telephone numbers and possible job titles for Da Nang government employees, with the victim’s job title translating to “Expert”. The spreadsheet was hosted on dsp.vn, a government-owned site that described the Da Nang IT Infrastructure Development Center as having been established under the People's Committee of Da Nang City, a non-business unit under the Department of Information and Danang media. <sup>[4]</sup></p><p style="text-align: center;"><em><img alt="location of Da Nang" src="https://cdn.filestackcontent.com/W4CJ46YsSOy5zWQIFj39"/><br/> Figure 3, location of Da Nang</em></p><p>Da Nang lies on the coast across from the Paracel Islands, an area of territorial dispute <sup>[5]</sup>. in March 2020, the USS Theodore Roosevelt visited the port of Da Nang to commemorate the relationship between Vietnam and the United States <sup>[6]</sup>. According to press reporting, ”Washington has placed a high priority on improving its defense ties with Vietnam recently as part of President Donald Trump’s National Defense Strategy, which prioritizes strategic competition with China and countering its growing military capabilities in Asia.” <sup>[7]</sup></p><p>Since the outbreak of COVID-19, there has been an increase in naval activity in the South China Sea, including the Chinese aircraft carrier Liaoning and US Navy ships patrolling the area; indications of ongoing regional tensions.</p><h2>Malicious Excel Document</h2><p>The phishing email contains an attachment called “lich truc li,” which translates as “office schedule.”</p><p style="text-align: center;"><em><img alt="Screenshot of the malicious excel document" src="https://cdn.filestackcontent.com/yuDEItNQB2PVqgMPKLG9"/><br/> Figure 4, Screenshot of the malicious excel document</em></p><p>The spreadsheet contained a table with three titles “bảng phân công trực trung tâm dữ liệu,” which translates as “Data Center assignment table,” “TRUNG TM PHÁT TRIỂN HẠ TẦNG ĐA NĂNG,” which translates as “Multi-infrastructure development center,” and “phòng hệ thống,” which translates as “system room.” This may support a hypothesis that the government employees work in a data center in the Da Nang Software Park. This spreadsheet is likely an employee schedule. Column B appears to hold employee names, whilst C &amp; D correspond with shift patterns laid out in rows 19-24. An open-source search suggests that the acronyms "“TC1,” “TC2,” and “TC3” may refer to technology centers.</p><p>When the Excel document is opened, two executables (utilman.exe and mpsvc.dll) will be dropped at folder %AppData%MicrosoftCorporation. Utilman.exe is Windows Defender executable MsMpeng.exe. The attacker is employing a DLL Side-Loading technique using a legitimate security product to load a malicious dll <sup>[8]</sup>. This is a common technique for a variety of threat actors and groups. A shortcut for utilman.exe is then created at the startup folder so that the dropped files execute during the next reboot of the machine and communicate with a command and control (C2).</p><p style="text-align: center;"><em><img alt="process graph" src="https://cdn.filestackcontent.com/vjiNRhwESv3QOM715pnA"/><br/> Figure 5, process graph</em></p><p>Mpsvc.dll initially makes a number of DNS requests to “dns.google” ( and which is Google’s public DNS service. The domain name resolved as skypechatvideo[.]online.</p><p style="text-align: center;"><em><img alt="pcap file for mpsvc.dll" src="https://cdn.filestackcontent.com/G2ZSte1ZTjSChCesrIQE"/><br/> Figure 6, pcap file for mpsvc.dll</em></p><p>After communicating to Google DNS, the victim machine communicates with the C2 skypechatvideo[.]online and sends the following GET request:</p><p>http://skypechatvideo[.]online/wwwlib/title.php?ID=NzhERjJFQjgtNDk5RC03ODQ0LTlCNzctM0U2QUVBREYyNEU4:U1Q=</p><p>The C2 was hosted on an Apache server running PHP, and communicated with the victim machine over port 49927. The domain skypechatvideo[.]online, which was registered at IP address 185.244.150[.]4 on April 20, 2020 with Registrar NameSilo, was using a privacy service that obfuscated the registrant information. Additionally, according to RiskIQ, only one other domain hosted on the IP address 185.244.150[.]4: onlinedocumentviewer[.]us which was first seen in July 2018. The small number of domains suggests the infrastructure is owned rather than shared, and the long period between the domains makes the relationship between them questionable.</p><p>The dropped executable mpsvc.dll, although containing a large quantity of unique code, was genetically similar to exile-RAT and keyboy; both are RATs Pirate Panda deploys. It is likely that the threat actors modified and developed the code since it was last used. The dll has a compilation date of 22 April 2020, which is two days after the c2 domain was registered, and the phishing email was sent on 27 April 2020. exile-RAT has been observed using the same DLL Sideloading technique, using a legitimate security product to load a malicious dll. In this instance, Windows Defender is being used.</p><h2>Conclusion</h2><p>The phishing email and the lure document suggest that the attack was crafted to target government employees working at a data centre, which is consistent with previous data center targeting by other campaigns attributed to APTs [9]. If the phishing email was sent by a real employee, it is possible that members of the Da Nang government have already been compromised, but were not the targets of interest or didn't have the required access to desired information. It is possible that the national holidays are being used as a lure, because the threat actors may have an imminent desire for lateral movement and access to data. While Anomali has not been able to figure out what information the threat actors are attempting to obtain, if an attacker were to compromise a government-run data center, it would have access to vast amounts of sensitive information. Read more about People’s Republic of China (PRC) in this <a href="https://www.anomali.com/resources/whitepapers/peoples-republic-of-china-prc-cybersecurity-profile-from-anomali-labs">cybersecurity profile</a>.</p><h2>How Anomali Helps</h2><p>The Anomali Threat Research Team provides actionable threat intelligence that helps customers, partners, and the security community to detect and mitigate the most serious threats to their organizations. The team frequently publishes threat research in the form of white papers, blogs, and bulletins that are made available to the security community, general public, and news organizations. Intelligence and bulletins about threat actors and related Indicators of Compromise (IOCs) are integrated directly into Anomali Altitude customers’ security infrastructures to enable faster and more automated detection, blocking, and response. For more information on how Anomali customers gain integrated access to threat research, visit: <a href="https://www.anomali.com/products">https://www.anomali.com/products</a>.</p><h2>Endnotes</h2><p><sup>[1]</sup> CrowdStrike, “CrowdStrike: Ongoing Pirate Panda operations using current event themes”, published March 2nd 2020, accessed April 29th 2020, <a href="https://www.scribd.com/document/451284814/CrowdStrike-Ongoing-Pirate-Panda-operations-using-current-event-themes" target="_blank">https://www.scribd.com/document/451284814/CrowdStrike-Ongoing-Pirate-Panda-operations-using-current-event-themes</a>.</p><p><sup>[2]</sup> Minnie Chan, “Chinese military lashes out at American warship’s ‘intrusion’ in South China Sea”, South China Morning Post, published April 28th 2020, accessed April 28th 2020, <a href="https://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south" target="_blank">https://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south</a>.</p><p><sup>[3]</sup> Denis Legezo, “Chinese Cyber-Espionage Group Hacked Government Data Center“, Kasperksy, published June 15th 2018, accessed April 28th 2020, <a href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank">https://securelist.com/luckymouse-hits-national-data-center/86083/</a>.</p><p><sup>[4]</sup> General Administrative Office, “Da Nang IT Infrastructure Development Center”, published November 23rd 2017, accessed April 28th 2020, <a href="https://dsp.vn/chi_tiet-6420" target="_blank">https://dsp.vn/chi_tiet-6420</a>.</p><p><sup>[5]</sup> Minnie Chan, “Chinese military lashes out at American warship’s ‘intrusion’ in South China Sea”, South China Morning Post, published April 28th 2020, accessed April 28th 2020, <a href="https://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south" target="_blank">https://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south</a>.</p><p><sup>[6]</sup> U.S. Embassy and Consulate in Vietnam, “Theodore Roosevelt Strike Group Completes Port Visit to Da Nang to Commemorate 25 Years of Diplomatic Relations“, published March 11th 2020, accessed April 28 2020, <a href="https://vn.usembassy.gov/theodore-roosevelt-strike-group-completes-port-visit-to-da-nang-to-commemorate-25-years-of-diplomatic-relations/" target="_blank">https://vn.usembassy.gov/theodore-roosevelt-strike-group-completes-port-visit-to-da-nang-to-commemorate-25-years-of-diplomatic-relations/</a>.</p><p><sup>[7]</sup> Benjamin Wilhelm, “Could China’s Aggression in the South China Sea Boost U.S.-Vietnam Relations?”, World Politics Review, published April 8th 2020, accessed April 28th 2020, <a href="https://www.worldpoliticsreview.com/trend-lines/28669/could-china-s-aggression-in-the-south-china-sea-boost-u-s-vietnam-relations" target="_blank">https://www.worldpoliticsreview.com/trend-lines/28669/could-china-s-aggression-in-the-south-china-sea-boost-u-s-vietnam-relations</a>.</p><p><sup>[8]</sup> Marcus Pietro, “DLL Side-Loading for Fun (and Profit?) - Day 4”, Marpie , published January 4th 2019, accessed April 28th 2020, <a href="https://www.a12d404.net/security/2019/01/04/side-loading-fun-4.html" target="_blank">https://www.a12d404.net/security/2019/01/04/side-loading-fun-4.html</a>.</p><p><sup>[9]</sup> Denis Legezo, “Chinese Cyber-Espionage Group Hacked Government Data Center“, Kasperksy, published June 15th 2018, accessed April 28th 2020, <a href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank">https://securelist.com/luckymouse-hits-national-data-center/86083/</a>.</p><h2>Appendix A: Indicators of Compromise (IOCs)</h2><table class="table table-striped" style="table-layout: fixed;"><thead><tr><th scope="col">Indicator of Compromise</th><th scope="col">Description</th></tr></thead><tbody><tr><td style="word-wrap: break-word;">cd075ddb7cbe9bfb9ca955be605a6f622d83bcef7eded2b495c653e86fe9b59e</td><td>Phishing Email Sample</td></tr><tr><td style="word-wrap: break-word;">9736c6230909c71a6010d6005a86ffd60f5b9cfa2fdeae2a78084ffe48dc01dc</td><td>Excel document lure sample</td></tr><tr><td style="word-wrap: break-word;">80C3E22B640B47E0C41F4185F091E2C523A9EF291A75B7007303E2267B8D68C5</td><td>Utilman.exe - MsMpEng.exe which is Windows Defender (legitimate security tool)</td></tr><tr><td style="word-wrap: break-word;">A369FEE3B83C2D2534C48FDFAC8D03A266809AAA28ACE6B6002EAB57CC14EDD1</td><td>Mpsvc.dll - malicious DLL</td></tr><tr><td style="word-wrap: break-word;">skypechatvideo[.]online</td><td>C&amp;C Domain</td></tr></tbody></table>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.