Supply-chain Attack Targeting Certification Authority in Southeast Asia

ESET Researchers exposed a supply-chain attack took place on the site of the Vietnam Federal Government Accreditation Authority (VGCA): This is comparable to the supply-chain attack on the Able Desktop software just a couple of weeks ago.

The aggressors modified 2 of the software application installers available for download on the site and included a backdoor to compromise users of the genuine application.

The supply-chain attack in Vietnam

The VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese federal government, and probably by private business, to sign digital files.

In Vietnam, digital signatures are really typical, as digitally-signed documents have the very same level of enforceability as “damp” signatures.

According to Decree No. 130/2018, the cryptographic certificates utilized to sign files need to be granted by among the licensed certificate companies that include the VGCA, which becomes part of the Government Cipher Committee. That committee, in turn, depends upon the Ministry of Information and Communication.

2 of the installers available for download, gca01-client-v2-x32-8.3. msi, and gca01-client-v2-x64-8.3. msi, were customized to include a piece of malware understood as PhantomNet or SManager and recently examined by NTT Security.

This harmful file is an easy dropper that extracts a Windows cabinet file (.

Researchers verify that those installers were downloaded from over the HTTPS procedure, so it is unlikely to be a man-in-the-middle attack

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity, and hacking news updates.

In this specific case, the aggressors compromised the site of a Vietnamese certificate authority, in which users are likely to have a high level of trust.

If the dropper runs as an admin, the backdoor is composed to C: Windowsapppatchnetapi32.dll and for persistence, the dropper registers the destructive DLL as a service.

For the common user, the backdoor is written to % TEMP% Wmedia<< GetTickCount>>. tmp and for the persistence, the dropper creates an arranged task that calls the export Entry of the destructive DLL.

As soon as downloaded and carried out, the installer begins the authentic GCA program and the destructive file. The harmful file is written to C: Program FilesVGCAAuthenticationSACx32eToken.exe.


” Supply-chain attacks are usually hard to discover, as the destructive code is normally hidden amongst a lot of genuine code, making its discovery substantially harder”, states the ESET scientists. The Vietnam Government Certification Authority confirmed that they were mindful of the attack before the notice and they notified the users who downloaded the trojanized software application.

This malicious file is a simple dropper that draws out a Windows cabinet file (. taxi) called 7z. taxi which consists of the backdoor.

The PhantomNet backdoor is rather simple and can collect victim information (computer name, hostname, username, OS version, user opportunities [admin or not], and the public IP address) in addition to set up, remove and update malicious plugins..


It can retrieve the victims proxy setup and utilize it to reach out to the command and control (C&C) server.

Simplified scheme of the supply-chain attack.

PhantomNet carries out certificate pinning, using functions from the SSPI library. The certificate is downloaded throughout the very first connection with the C&C server and after that kept in the Windows certificate shop.