FoundCore: Evasive Malware Used by Chinese Hackers for Cyber Espionage

Security experts from Kaspersky Lab have uncovered a long-lasting cyber espionage operation launched by a Chinese nation-backed actor to target government and military institutions across Vietnam. The hacker group, known as Cycldek, APT27, GoblinPanda, and LuckyMouse, relied on a brand-new and highly evasive remote access Trojan to reach its malicious goal. The RAT, called FoundCore, represents the increasing sophistication of Chinese state-sponsored adversaries due to its vast malicious capabilities.

Cycldek Attacks Vietnamese Govt and Navy

The analysis from Kaspersky shows that the Cycldek campaign took place between June 2020 – January 2021. The majority of infected devices were located in Vietnam, however, the smaller scale of intrusions was also spotted in Thailand and Central Asia. The primary targets were governmental and military assets, still, adversaries also went after organizations in diplomacy, education, and healthcare sectors.

During the intrusions, Cycldek leveraged a well-known DLL side-loading technique to masquerade malicious operations. Particularly, adversaries used legitimately signed files to load and decrypt the final FoundCore payload. The hackers also applied an additional layer of protection against detection and malware analysis. According to the researchers, they completely scoured the majority of FoundCore’s headers, with a couple of them remaining with incoherent values. This method is exclusive for China-affiliated actors indicating the advancement of their malicious techniques.

What is FoundCore RAT?

The final payload in the attack kill chain is FoundCore remote access Trojan allowing Cycldek hackers to gain full control over the targeted instance. To achieve this, malware is armed with a vast array of notorious functions, including file system and process manipulation, screenshots capturing, and arbitrary code execution. Additionally, the RAT can act as a downloader, dropping two additional strains to the targeted PCs. The first one was found to be a DropPhone data-stealing threat, while the second was identified as a CoreLoader malware able to ensure evasion.

Experts believe with a high level of confidence that the initial intrusion vector for FoundCore relies on malicious RTF documents. Specifically, the inquiry from Kaspersky details that in most cases FoundCore infections were preceded by the opening of malicious documents generated with RoyalRoad and exploiting CVE-2018-0802 vulnerability.

FoundCore RAT Detection

To detect the Cycldek attacks leveraging FoundCore RAT, you can download a community Sigma rule produced by our active Threat Bounty developer, Sittikorn Sangrattanapitak: 

https://tdm.socprime.com/tdm/info/l08pKvzQtWPp

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Sentinel One, Microsoft Defender ATP

NTA: Corelight

MITRE ATT&CK: 

Actor: APT27

Looking for the best SOC content compatible with your security solution in use? Subscribe to Threat Detection Marketplace and reach over 100K Detection and Response rules for 23+ market-leading SIEM, EDR, and NTDR tools. Inspired to create your own Sigma rules? Join our Threat Bounty program and get rewarding for your valuable input!

Go to Platform Join Threat Bounty