New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Chinese-Backed Threat Actor Believed to be Targeting Vietnam

Pirate Panda (China): Researchers at Anomali analyzed a spear-phishing campaign targeting the Da Nang Municipality in Vietnam. The emails were sent with a malicious Excel file attached to them that, once opened, saves a non-malicious executable file named Utilman.exe and a malicious Dynamic-link Library (DLL) named mpsvc.dll in the Application Data folder. The Utilman executable is a copy of the legitimate Microsoft Windows Defender program, but if it is run from the same folder as mpsvc.dll, it will load the malicious DLL using a technique known as DLL side-loading. The malicious mpsvc.dll file is very similar to the exile-RAT and keyboy tools which were previously used by Pirate Panda. After the files are saved to disk, a shortcut to the Utilman (Windows Defender) program is created in the startup folder which will run upon the next restart of the machine, allowing it to communicate with the Command and Control (C2) server. Based on the information in the email and Excel file, it is likely that the victims work in a government-run data center. The Excel file is a falsified work schedule for the dates of April 30- May 1 which are both holidays in Vietnam. The threat actors may be trying to trick victims with these dates as schedules are likely to change around holidays.

Analyst Notes

Analyst’s Note: The C2 server is registered using a privacy service to protect the registrant’s information. Open source searches for the name of the Excel file from researchers did not yield many results, leading them to believe this attack was created just for this period of time. Pirate Panda has targeted governments and data centers before—they primarily focus on the area of the South China Sea. Da Nang is on the coast of Vietnam on the South China Sea border, which aligns with Pirate Panda’s territory of operation. These spear-phishing emails represent a basic yet effective tactic because they rely on the victim to open the documents. By properly training employees on how to spot phishing emails and report them to security personnel rather than opening documents from unknown sources, attacks such as these can be prevented. When employees fail to recognize the threat and open malicious documents, it is important to have Endpoint Detection and Response (EDR) tools in place to alert security teams to the unusual events on the employee workstation so that they can investigate and respond to the intrusion quickly.

More information from Anomali can be read here: