Cyber Incident Victim: Ministry of Natural Resources and Environment
Date:
Jun 2014
Location:
Viet Nam
Summary
A phishing campaign targeted Vietnamese government employees via malicious Microsoft Word email attachments delivering a Trojan dropper that downloaded additional malware, specifically crafted to bypass security measures at the Ministry of Natural Resources and Environment. The malware scanned for the presence of a local antivirus tool, attempted to disable it, and established encrypted communication with command-and-control servers in the US and South Korea. The backdoor component exfiltrated system information, including local IP addresses, and enabled remote command execution. The attack aimed to compromise sensitive government data, potentially facilitating further intrusions into related agencies. Security researchers identified the payload as Win32/Agent.VXU, noting its tailored design to evade the agency's defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident targeting Vietnam's Ministry of Natural Resources and Environment (MONRE) began with a phishing campaign distributing malicious emails containing infected Microsoft Word document attachments. Upon opening the attachment, the malware dropped an executable file named "payload.exe" onto the victim's system, functioning as a Trojan dropper designed to download additional malicious components. The attack exhibited characteristics of a targeted operation, with malware specifically engineered to evade MONRE's security infrastructure. A key indicator of this targeting was the malware's scan for the presence of BKAV (Bach Khoa Anti-Virus), a Vietnamese security tool commonly used in government systems. If BKAV was detected, the Trojan dropper executed the FreeLibrary function to unload "BkavFirewallEngine.dll" from memory, effectively neutralizing this layer of protection. The malware stored three items in the system's temporary directory, with PE header timestamps indicating creation on April 24, 2014, suggesting recent development relative to the June 2014 attack timeframe.
Following initial infection, the malware established command and control (C2) communications through "Framework.dll," a backdoor component that transmitted the infected machine's local IP address to remote servers. The malware connected to two C2 servers—one located in the United States (31.170.167.168) and another in South Korea (www.google.zzux.com)—using port 443 for encrypted HTTPS traffic. This backdoor opened a Windows command shell that redirected input and output to the attackers' servers, enabling remote system control. Security researchers from ESET identified all downloaded files as variants of Win32/Agent.VXU, confirming the malware's presence on compromised systems. While MONRE might appear an unconventional target, its status as a government agency handling potentially sensitive environmental and resource management data made it strategically valuable. The attackers likely sought information that could facilitate subsequent operations against other government entities, leveraging compromised data to refine future intrusion methodologies against Vietnamese infrastructure. The absence of specific mitigation details in available reports leaves MONRE's containment response undocumented in public sources.