Goblin Panda continues to target Vietnam
By Sebdraven
Published: 2019-05-02 · Archived: 2026-04-05 22:59:28 UTC
2 min read
May 2, 2019
Chinese actors have changed the rtf exploit following my different articles and Anomali article
https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain
But In march a researcher of Anomali @aRtAGGI made a link very interesting between Icefog and an article
targeting Mongelian speaker https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/
https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
Page 1 of 4

I decide to reanalyze the RTF exploit. It’s the same techniques, they have just change the XORing and the exploit
body to bypass the yara rules which have been published.
https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
Page 2 of 4

After a new rule and retro hunting, I found a new RTF file
81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6 exploiting the same RTF
vulnerability CVE-2017–11882 and drops two files
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\QcConsol.exe
9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\QcLite.dll
207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3
The backdoor is the DLL and has as usual, the malware is executing using the side loading.
Get Sebdraven’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The dll is a variant of the newcoreRAT with many similarities with
05d0ad2bcc1c6e2752a231bc36d07a841f075a0a32a3a62abaafddbdafd72f62
5a592b92ffcbea75e458726cecc7f159b8f71c46b80de30bac2a48006ac1e1b3
5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76
Press enter or click to view image in full size
and the RTF is a spear phishing targeting Vietnamese people.
The malware seems to compile 11 Dec 2018 and the document has created in 2019:01:18.
The C2 of the backdoor is a old domain web.hcmuafgh.com but it’s a new IP 193.29.56.62.
IOCs
81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6
https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
Page 3 of 4

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\QcLite.dll
207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3
sha256 C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\QcConsol.exe
9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770
web.hcmuafgh.com
193.29.56.62
http://web.hcmuafgh.com:4357/link?url=maOVmKGmMDU1&enpl=OXcoVQ==&encd=XARIZTE=
Source: https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
Page 4 of 4