Cycldek, also known as Goblin Panda and Conimes, has been involved since at least 2013, and is known for actively targeting governments in Southeast Asia, with a preference for targets in Vietnam.
The group was discovered to have used a piece of custom malware to exfiltrate data from air-gapped networks in June of last year, a simple sign of evolution for a less sophisticated group. According to Kaspersky, the sophistication of recent attacks has increased. The campaign, which ran from June 2020 to January 2021, relied on a DLL side-loading infection chain to deliver malicious code that would eventually deploy a remote access Trojan (RAT) to give the attackers complete control over compromised machines. A legitimate component from Microsoft Outlook was exploited in an attack against a high-profile Vietnamese organisation to load a DLL that would run a shellcode that was acting as a loader for the FoundCore RAT. When the malware is installed, it starts four processes: one to create persistence as a service, another to hide the first process, a third to prevent access to the malicious file, and a fourth to link to the command and control (C&C) server. The threat actor has complete control over the victim computer thanks to FoundCore. The malware supports a number of commands, including file system manipulation, process manipulation, arbitrary command execution, and screenshot capture. DropPhone and CoreLoader are two other pieces of malware that were distributed as part of the attacks. “From June 2020 to January 2021, we observed this campaign. Dozens of organisations were impacted, according to our telemetry. Eighty percent of them are based in Vietnam and work in the government or military, or are involved in health, diplomacy, education, or politics in some way. We also discovered sporadic targets in Central Asia and Thailand,” says Kaspersky.