The Less Progressive but Consistent, Cycldek Threat Actors

It is somewhat usual for tools and methodologies to be allowed to share throughout the nebula of Chinese threat actors. The infamous “DLL side-loading triad” is one of that kind of example. The side-loading-dynamic link library (DLL) is an extremely effective method of cyber-attack that benefits from the management of DLL files by Microsoft Windows applications. A genuine executioner, a malicious DLL, and an encrypted payload have usually been dropped from a self-extraction file. Initially regarded as the LuckyMouse signature, developers observed that other organizations were using a similar ‘triad’ like HoneyMyte. Although it indicates that attacks depending only on this technique cannot be attributed, the efficient prevention of such triads shows increasing malicious activity. 

A malware sample has been identified by researchers knows as FoundCore Loader which is configured to attack high-profile organizations in Vietnam. As per the high-level perspective of the researchers, the virus chain follows an execution that starts from the – FINDER.exe (a genuine MS Outlook file) which side loads to the outbill.dll (a malicious loader ) that eventually hijacks the flow of the execution and decrypts and runs a Shellcode placed in a rdmin.src file ( that is a malicious loader companion). 

The FoundCore payload is the final payload that is a remote access tool that provides its operators with complete control of the victim machine. This malware begins with 4 threads when it is executed. The first one determines persistence through the development of a service. The second establishes unclear information for the system by modifying its fields like ‘Description,’ ‘Image Path,’ ‘Display Name’ (among others). The third set the vacant DACL (“D:P” SDDL) image for the current process to avoid access to the entire malicious file. To discourage the malicious file from entering. In the end, the worker thread bootstraps execution and connects to the C2 server. It can also incorporate a copy of itself into another process, based on its configuration. FoundCore gives complete control of the victim’s machine to the threat player. The malware supports various instructions to manipulate the filesystem, manipulate the procedure, execute arbitrary commands, and record screenshots. DropPhone and CoreLoader are other malware delivered during the attacks. 

Cycldek, which has been active since 2013 and is also recognized as Goblin Panda and Conimes, is famous for its targeted delivery and preferences being the Vietnam targets and the governments in South East Asia. As per a report, that in June 2020 a piece of personalized malware had been used to exfiltrate airborne data, a clear sign of transformation for a group considered less sophisticated. According to Kaspersky, more recent attacks show even more sophistication. 

A genuine part of Microsoft Outlook was mistreated to load a DLL which would operate a shellcode that acts as a loader of FoundCore RAT in an attack on a high-profile Vietnamese organization. While Cycldek has been regarded to be one of the less advanced threat actors in the Chinese-speaking world, the goal of the campaign is recognized to be consistent.