Operation SignSight is a new supply chain attack targeted against Vietnamese private companies. SignSight attackers are smart, aiming to embed malware inside an official government software toolkit.
SignSight attacks aimed against the Vietnam Government Certification Authority
The attack discovered and named by Eset researchers was set against the Vietnam Government Certification Authority (VGCA), responsible for signing digital certificates. “The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software,” the researchers said.
What is the VGCA organization?
The VGCA issues digital certificates to citizens, companies, and government entities looking to submit files to the government. Not only does the agency issue such certificates, but it also provides ready-made client applications that said parties could install on their computers to automate the process of document signing.
Apparently, the threat actors behind the SignSight attack hacked into the VGCA’s website and slipped malware in the form of two Windows files into two of the agency’s client apps. The files had a backdoor in them, known as PhantomNet and Smanager. Even though the backdoor wasn’t a sophisticated one, it opened the door to more dangerous malware plugins.
In terms of its capabilities, the PhantomNet backdoor “can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server. This shows that the targets are likely to be working in a corporate network.”
In addition, “PhantomNet uses the HTTPS protocol to communicate with its hardcoded C&C servers: vgca.homeunix[.]org and office365.blogdns[.]com. In order to prevent a man-in-the-middle attack, PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store,” the report said.
In most cases, it is challenging for researchers to detect supply-chain attacks, as the malicious code is concealed among legitimate code.