VGCA website served backdoored installers

Vietnam's Government Certification Authority is not just another software vendor. It issues government digital certificates and distributes the GCA toolkit that Vietnamese agencies and private organizations use to sign electronic documents. That made its download site a high-trust target.

In Operation SignSight, attackers compromised ca.gov.vn and replaced the x86 and x64 GCA 8.3 MSI installers. ESET confirmed the trojanized files were downloaded over HTTPS from the official VGCA site, which makes a man-in-the-middle explanation unlikely. A user still had to download and run the installer, but the trust decision had already been shaped by the certificate authority's domain.

The installers still launched the genuine GCA program. They also wrote a malicious eToken.exe under C:\Program Files\VGCA\Authentication\SAC\x32\, then unpacked a CAB that carried the PhantomNet backdoor, also called SManager. Admin installs registered the backdoor DLL as a Windows service under C:\Windows\apppatch\netapi32.dll; non-admin installs used a scheduled task and a %TEMP%\Wmedia\ path.

PhantomNet was built for espionage rather than monetization. It gathered host and user details, read browser proxy settings so it could reach out from corporate networks, and used HTTPS with certificate pinning to contact vgca.homeunix.org and office365.blogdns.com. ESET also found a plugin with debug paths suggesting lateral-movement capability, including Mimikatz-related code.

ESET placed the malicious installers on the VGCA site between July 23 and August 16, 2020. VGCA said it had already become aware of the incident, notified users who downloaded the trojanized software, and replaced the installers. This record tracks the official website distribution of the MSI packages, not the cryptographic root trust of the certificate authority itself.

Motive

Espionage

Attribution

State

Cause

Website Compromise

Transitive

No

Actor

Unknown espionage actor

• familyPhantomNet
• familySManager
• filegca01-client-v2-x32-8.3.msi
• filegca01-client-v2-x64-8.3.msi
• fileeToken.exe
• fileC:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe
• fileC:\Windows\apppatch\netapi32.dll
• file7z.cab
• domainvgca.homeunix.org
• domainoffice365.blogdns.com
• techniqueHTTPS command and control with certificate pinning
• techniqueWindows service persistence for admin installs
• techniqueScheduled task persistence for non-admin installs
• Hashsha1:5C77A18880CF58DF9FBA102DD8267C3F369DF449
• Hashsha1:B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A
• Hashsha1:9522F369AC109B03E6C16511D49D1C5B42E12A44
• Hashsha1:989334094EC5BA8E0E8F2238CDF34D5C57C283F2

• Operation SignSight: Supply-chain attack against a certification authority in Southeast Asiawelivesecurity.com
• ESET discovers Operation SignSight supply-chain attackeset.com
• [RE018-1] Analyzing new malware used to attack Vietnam Government Certification Authorityvincss.net
• [RE018-1] Analyzing new malware of China Panda hacker groupinfocon.org
• Vietnam targeted in complex supply-chain attackzdnet.com
• Software Supply Chain Attack Hits Vietnam Government Certification Authoritythehackernews.com
• Supply Chain Attack Against Vietnam Government Certification Authoritygbhackers.com
• Vietnam Government Suffers Supply Chain Attackcisomag.com