[email protected] (04) 3795 8282 - (04) 3795 8228 - 1800 556 864
.31 Oct


Recently, CMC CyberSecurity received a number of malicious samples believed to be developed by Panda hackers. In order to attack APT to foreign government organizations, including Vietnamese organizations.

Samples received after analysis can be divided into two types. Each type uses a different payload implementation but still has some common characteristics:

  • Use the .lnk shortcut file with the .doc extension (eg sample.doc.lnk) to deceive the user.
  • The lnk file attached to the hta file can execute vbscript.
  • Script to open the attached document file for the user and implicitly execute the payload.

Based on the content of document files prepared to deceive users, it can be surmised that the target that the attacker wants to target is users of some units of the Vietnamese government.

   1. Technical analysis

  1.1. Analysis of file type lnk 1

File LNK

The sample file is a shortcut file with the extension .lnk, usually named with the .doc extension to deceive users because the .lnk extension will be hidden by Windows. The suspicious point is in the target part of the shortcut file. Usually, the target of the shortcut usually points to a destination folder or file. However, the target of the templates all contain the following command:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ GIAYMOI.doc.lnk" / s / b') do start m%windir: ~ -1,11 exe "%i"

The above code was obfuscate by using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character of the value contained in variable "%windir%" (usually C: \ Windows).

Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, we can open an html page as an application. The hta file format is the same as the html file. By adding tags into the card of the html file we have the hta file that can be opened via the mshta application.

The hta file can be inserted before its header. Take advantage of this,

the attacker has inserted an lnk file before it, with the command opening itself with mshta.exe to execute the embedded hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the mshta.exe file to open itself.

File HTA

By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

The vbscript script has been obfuscate (confusing) to make the analysis process difficult. After deobfuscate, you can see that the code snippet contains 1 data in binary form.

Then, the code uses the ADODB object to save the binary data as a file into the %temp% folder named 3.ps1.

Finally, execute the file 3.ps1 with the command line

powershell.exe -exec bypass -file & szTempPath, Null, Instance, MWcWurrkfEbtfWdZTY


The powershell script continues to be confused by using base64 to encode its entire contents. After decode the entire content, the script will continue to run through powershell's iex function.

The content after the script decode is also messed up to make its content more difficult to understand. After analysis, we can get a general overview of the content and tasks of the code as follows:

  • The code checks the Administrator rights of the current user and stores the result in a variable.
  • Proceed to decode the .doc file as base64 and save it to the directory %temp%. Then open this file for the user.
  • If the script is run with Administrator privileges, the .dat file will be saved in the "%windir% \ debug" directory. Otherwise, the %temp% folder will be used to save the .dat file.
  • The InstallUtil tool (v2.0 or 4.0) will be used as a loader to execute the .dat payload file. When having Administrator rights, the script will copy 2 InstallUtil.exe and schtasks.exe windows files into %temp% folder. Particularly, the file schtasks.exe (microsoft utility used to schedule automatic running of some programs and tasks 1) will be renamed to "wtask.exe".
  • Then use cmd to execute the wtask.exe file to run automatically, with the purpose of loading the executable file loader to run the .dat file with SYSTEM privileges.
  • Without Administrator rights, the loader will be executed indirectly through vbscript. The code also checks and adjusts how it executes accordingly when it detects an antivirus product installed on the computer.
  • After executing the process "wtask.exe" will create an entry in Task Scheduler to execute

Final Payload

InstallUtil.exe when loading payload file tmp_FlVnNI.dat will continue decode a shellcode in base64 format and copy the decoded part into a allocated memory with the attribute PAGE_EXECUTE_READWRITE and create a thread to execute shellcode.

Shellcode will automatically decode part of its code using the xor algorithm with the key of 0x44. After decoding 0xcf2 bytes, shellcode will execute the decoded part.

This is the final payload to make the connection to the attacker's server. Currently unable to connect to this server.

Analysis of file type lnk 2

First stage

Similar to type 1, type 2 is also an lnk file embedded before the hta file. At the time of vbscript execution, this script decodes and stores into %temp% folder 3 binary files in base64 and 1 document file.

The document file will then be opened for the user.

Meanwhile, the script will execute the 3.exe file to perform malicious actions.

Second stage

3.exe executable file is actually a clean file, but it will load a modified DLL file containing malicious code.

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When uploaded, http_dll.dll will find the VirtualProtect function to modify the attribute of the 16 bytes of memory the module has loaded it at RVA of 0x157a to PAGE_EXECUTE_READWRITE. In this case, the corrected location will be the command jz 0x401533.

To perform malicious behavior, the command jz 0x401533 will be replaced with 3 push commands FFFFFFFF, push http_dll.10001230 and "ret" command to redirect the program 3.exe to sub_10001230 of the dll, then the program will leave for 3.exe to continue execution.

At sub_10001230, the malicious code will read the file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above.

The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then loads the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server.

Then the malicious code will perform the following behaviors:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
    • Creating a backdoor allows an attacker to execute commands remotely.
    • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...


By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.

C&C ip, domain










Write a post