ESET experts reported that unknown hackers have injected malware into applications distributed by the Vietnam Government Certification Authority (VGCA) – this government organization issues digital certificates that can be used to electronically sign documents. As a result, both private companies and government agencies suffered from the compromise. The researchers named this hacking operation SignSight .
Any Vietnamese citizen, company, and even government agency that wants to send files to the Vietnamese government is required to sign their documents with a VGCA compliant digital certificate. In doing so, VGCA not only issues certificates, but also provides ready-made “client applications” that citizens, companies and government officials can install on their computers and automate the process of signing documents.
ESET analysts say that such applications were compromised by unknown attackers. Earlier in 2020, hackers hacked into the VGCA website (ca.gov.vn) and injected malware into applications that could be downloaded from the site. The files gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi intended for Windows systems were infected.
According to the researchers, between July 23 and August 5, 2020, these files contained the PhantomNet backdoor Trojan, also known as Smanager. In their report, experts describe this malware as not too complex and conclude that it was used as a framework for more powerful plugins. In particular, PhantomNet plugins were able to obtain proxy settings for bypassing corporate firewalls, and were also able to download and run additional malware. It is assumed that all this was used to conduct reconnaissance in the networks of victims and prepare for more serious attacks.
Interestingly, PhantomNet infections have also been identified in the Philippines, but how these users were compromised is not yet clear. Experts believe that a different malware delivery mechanism was used for these attacks.
The researchers report that in December 2020, they notified the VGCA of the compromise, but by that time, the certification center already knew about the hack. Simultaneously with the publication of the ESET report, VGCA representatives officially announced the hack and prepared a guide for victims, which tells how to remove the malware.
Although ESET does not draw any conclusions in its report regarding the attribution of this malware in particular and the malicious campaign in general, previous reports from researchers usually associate PhatomNet (Smanager) with cyber-espionage activities of Chinese hackers.