Full Report
Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis of sfvc.exe & 360.dll Analysis of 2nd Infrastructural Artefacts & Threat actor Attributions. Conclusion: Why Operation […] The post Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Threat Actor: Unnamed Chinese-linked APT (Associated with Operation GriefLure)
## Attribution & Identity
While a specific named group (e.g., APT41, Mustang Panda) is not explicitly named in the provided text, the attribution indicators strongly point toward a sophisticated **Chinese-aligned state-sponsored threat actor**.
* **Known Associations:** Shares infrastructural overlaps and TTPs with Chinese APT clusters.
* **Language Cues:** Use of regional lures and specific malware naming conventions (e.g., `360.dll`, potentially referencing 360 Security software common in the region).
## Activity Summary
The actor is currently conducting **Operation GriefLure** (detected May 2024). This campaign involves high-precision spear-phishing using "hyper-realistic" lures. Instead of fabricated documents, the actor harvested eight genuine, legally sensitive documents from a real-world data breach dispute to trick high-value targets.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing attachments using nested archives (RAR/ZIP) containing malicious Windows LNK files.
* **Execution:** Abuses native `ftp.exe` as a Living-off-the-Land (LotL) dropper to bypass EDR (T1218).
* **Payload Assembly:** A unique **time-based polymorphic payload assembly**. The malware (`sfsvc.exe`) is constructed on-disk from chunked `.doc` files to evade signature-based detection.
* **Persistence:** Modifies environment variables (PATH) and uses Boot/Logon Autostart Execution (T1547).
* **Defense Evasion:** DLL Side-Loading (T1574.002) using `360.dll`; hidden execution via Alternate Data Streams (ADS).
* **Credential Access:** Steals credentials from web browsers (T1555.003) and local files.
* **Collection:** Screen captures and automated data exfiltration via XOR-encoded HTTPS channels.
## Targeting
* **Sectors:** Military Telecommunications, Law Enforcement (Cyber Crime Police), Healthcare, and Medical Services.
* **Geography:** Vietnam and the Philippines.
* **Victims:** Senior executives at **Viettel Group** (Vietnam), investigators from the **Thanh Hoa Provincial Cyber Crime Police**, and senior staff at **St. Luke’s Medical Center Quezon** (Philippines).
## Tools & Infrastructure
* **Malware:** `sfsvc.exe` (Custom Implant), `360.dll` (Side-loading component), `th5znehec.exe`.
* **Common Files:** `Ho so.rar`, `download.zip`, `iPad_Pro_Display_Spec_Final_CONFIDENTIAL.docx.lnk`.
* **Infrastructure (C2):**
* `www[.]whatsappcenter[.]com` (Defanged)
* The actor uses domain masquerading (impersonating legitimate services like WhatsApp).
## Implications
This actor demonstrates an elite level of social engineering by utilizing **authentic stolen legal documents** as lures. By showing victims "something completely true" (real police reports and signed corporate admissions), they negate standard security awareness training. The use of LotL binaries (`ftp.exe`) and polymorphic assembly suggests a focus on bypassing modern EDR/XDR solutions in highly regulated sectors like defense and healthcare.
## Mitigations
* **Binary Monitoring:** Monitor or restrict the execution of `ftp.exe` and `cmd.exe` when spawned by suspicious parent processes like `explorer.exe` or web browsers.
* **LNK File Scrutiny:** Implement mail gateway rules to block or heavily scrutinize `.lnk` files contained within compressed archives.
* **DLL Side-Loading Defense:** Enable Directory Service Auditing and monitor for the creation of known system DLL names in non-standard application folders.
* **Credential Protection:** Deploy Credential Guard and monitor for unauthorized access to browser profile folders (SQLite databases).
* **Network Filtering:** Block known malicious domains such as `www[.]whatsappcenter[.]com` and monitor for unusual HTTPS traffic involving XOR patterns.