Authored by: Sara More, Joakim Kennedy, Parthiban R, and Rory Gould
The Anomali Threat Research Team detected a spear phishing email targeting government employees in the Municipality of Da Nang, Vietnam. The email contained a malicious Microsoft Excel document which drops a malicious Dynamic-Link Library (DLL) providing the actor with CMD reverse shell over HTTP. The DLL shares code similarities to exile-RAT, a tool associated with Pirate Panda. Pirate Panda is an APT backed by China and known for targeting government and political organisations.
Pirate Panda has reportedly focused primarily on issues surrounding territorial conflicts in the South China Sea [1]. As Da Nang lies on the Coast of Vietnam, opposite the Paracel Islands (an area of territorial dispute), this may provide some understanding of why Pirate Panda would consider targeting this municipality. [2]
The phishing email and lure document observed suggest that the employees targeted likely work within a government-run data center. Such attacks are consistent with other regional APT campaigns [3]. If Pirate Panda were to compromise a government-run data center, it would have access to vast amounts of sensitive information.
Targeted Phishing
In the screenshot below, the phishing email shown was sent by a government employee to another government employee. The intended victim had a “danang.gov.vn” appended to the email address, as seen in the email headers.
Figure 1, Phishing email
The subject header is “Cập nhật lịch trực lễ 30/4 và ⅕,” which Google translates as “Updated live schedule 30_4 and 1_5.eml.” The live schedule appeared to be for the dates of April 30 and May 1, which may indicate that the lure theme was related to events on those days. As both 30 April and 1 May are Vietnamese national holidays, it is plausible the theme ..
Support the originator by clicking the read the rest link below.
