Cyber Incident Victim: Da Nang government data center
Date:
Apr 2020
Location:
Viet Nam
Summary
A spear phishing campaign targeted government employees in Da Nang, Vietnam, using malicious Excel documents disguised as holiday schedules. The payload deployed a malicious DLL via DLL side-loading techniques, leveraging a legitimate Windows Defender executable to establish a reverse shell and communicate with a command-and-control server. The malware exhibited code similarities to tools associated with Pirate Panda, a China-backed advanced persistent threat group historically focused on territorial disputes in the South China Sea. The attack infrastructure included a newly registered domain hosting the C2 server, and the phishing email appeared to originate from an internal government account, suggesting potential prior compromise. The operation aimed to infiltrate a government-run data center, potentially enabling access to sensitive information amid regional geopolitical tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 27, 2020, a spear phishing email targeted government employees in Da Nang, Vietnam, with email addresses ending in "danang.gov.vn." The email, categorized as "Internal" by Microsoft Exchange and originating from IP address 10.196.132.154 within a private government network, contained an Excel attachment titled "lich truc li" (translated as "office schedule"). The subject line referenced an "Updated live schedule" for April 30 and May 1, aligning with Vietnam's Reunification Day and Labour Day national holidays—dates chosen potentially to exploit employee distraction during holiday preparations. Analysis of the sender and recipient email addresses revealed their inclusion in a publicly accessible spreadsheet hosted on dsp.vn, a government site listing Da Nang IT Infrastructure Development Center personnel under the municipal People's Committee. The spreadsheet contained job titles, with the recipient identified as an "Expert," though no direct link to a specific data center was confirmed.
The malicious Excel document executed a DLL side-loading attack by dropping two files—utilman.exe (a renamed legitimate Windows Defender executable, MsMpEng.exe) and mpsvc.dll (a malicious Dynamic-Link Library)—into the %AppData%\MicrosoftCorporation directory. A shortcut to utilman.exe was placed in the system startup folder to ensure persistence after reboot. Upon execution, mpsvc.dll initiated DNS requests to Google's public DNS (8.8.8.8, 8.8.4.4) to resolve the command-and-control (C2) domain skypechatvideo[.]online, registered on April 20, 2020, via NameSilo with privacy-protected registrant details. The malware communicated with the C2 server over port 49927 using HTTP GET requests, exfiltrating system identifiers. Code analysis revealed genetic similarities between mpsvc.dll and Pirate Panda-associated tools like exile-RAT and Keyboy, though the DLL contained substantial unique code and a compilation timestamp of April 22, 2020. The attack infrastructure showed limited domain hosting, with only one other domain (onlinedocumentviewer[.]us) sharing the C2 IP (185.244.150[.]4) since 2018, suggesting dedicated actor-controlled resources. While the campaign’s success in compromising the data center remained unconfirmed, its tactics aligned with regional APT operations targeting entities linked to South China Sea territorial disputes, coinciding with heightened U.S.-Vietnam military engagements and Chinese naval activity near Da Nang in early 2020. Anomali Threat Research detected the campaign through IOC analysis but provided no details regarding victim network containment or remediation efforts.