{ "id": "2fb94420-6866-43ee-b8c8-1611c0b329bb", "created_at": "2026-04-06T00:11:56.627558Z", "updated_at": "2026-04-10T13:12:03.370029Z", "deleted_at": null, "sha1_hash": "9de4109c60d0abbf4d986815169f04a78ceaf101", "title": "Malicious document targets Vietnamese officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7806940, "plain_text": "Malicious document targets Vietnamese officials\r\nBy Sebdraven\r\nPublished: 2018-08-13 · Archived: 2026-04-05 12:43:20 UTC\r\nAfter our investigation of APT SideWinder, we’ve done a yara rule for hunting RTF document exploiting the\r\nCVE-2017–11882.\r\nWe found a document written in Vietnamese dealing with a summary about differents projects in the district Hải\r\nChâu of Đà Nẵng.\r\nPress enter or click to view image in full size\r\nRTF document\r\nIn this article, we’ll detail the infection chains and the infrastructures of the attackers and the TTPs of this\r\ncampaign.\r\nThe infrastructures and TTPs during this campaign seem to the Chinese hacking group 1937CN.\r\nInfection chains\r\nJoe sandbox has a good representation of the behaviour of the infection.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 1 of 23\n\nThis rtf document is really malicious and it exploits the equation vulnerability to write two files in the system:\r\n1. A dll named RasTls.dll\r\n2. A executable file named dascgosrky.exe\r\nThis document is interesting to analyze so let’go !\r\nRTF analysis\r\nWith rtfobj, we found three ole objects in the document:\r\ntwo non well formed ole object and a third named package ole object.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 2 of 23\n\nThe package ole object is used to write a file in the disk when the document is opened at the destination described\r\nby the ole object.\r\nThat’s why, there is a path and a name in the ole object.\r\nPress enter or click to view image in full size\r\nPackage OLE Object\r\nThis technique is used to execute code like sct file to download an executable on the operating system. McAfee\r\nlabs has detailed all this stuff with sct file: https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/\r\nMany attackers use it in the wild because it’ very easy to use and it’ supported by the office software with RTF\r\nfiles.\r\nSo, in our case, a file named 8.t is dropped on %TMP% folder.\r\nIf we check it, it’s clearly encrypted.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 3 of 23\n\n8.t encrypted\r\nThe others object ole seem to the exploit of CVE-2017–11882.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 4 of 23\n\nEquation Ole Object\r\nAt the end of the object ole, we have differents API functions to make a runPE.\r\nAnother interesting thing is this string at the begin of the object: 7e079a2524fa63a55fbcfe\r\nPress enter or click to view image in full size\r\nString found in many exploits of CVE-2017–11882\r\nWe have the same string used by APT SideWinder in the equation object ole.\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 5 of 23\n\nIt’s the same toolset to create the malicious document.\r\nSo now, we have to debug the malicious document to find how the file 8.t is used and find this runPE.\r\nDebugging of the shellcode\r\nAt the start of the analysis, we think the process EQNEDT32.exe is created by Winword.exe using the function\r\nCreateProcess. So we decided to set a breakpoint at the call of his function.\r\nBut EQNEDT32.exe is invoked by Winword.exe using COM Object. It’s not CreateProcess that used and\r\nWinword.exe is not the parent process of EQNEDT32.exe. So we have to attach the debugger when\r\nEQNEDT32.exe is launched.\r\nFor that, we used a technique named Image File Execution Options that was documented by Microsoft.\r\nhttps://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nWe create a key EQNEDT32.exe.\r\nRegistry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image\r\nFile Execution Options\r\nAnd we set a value string for launching the debugger when EQNEDT32.exe is executed and attaching the\r\ndebugger to the process .\r\nPress enter or click to view image in full size\r\nValue to set the debuuger when EQNEDT32.exe is executed\r\nWhen we open the rtf document, Winword is launched and EQNEDT32.exe also.\r\nPress enter or click to view image in full size\r\nWinword process\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 6 of 23\n\nPress enter or click to view image in full size\r\nEQNEDT32.exe process attached by the debugger\r\nAnd the debugger is attached at the entrypoint of EQNEDT32.exe.\r\nWe check if it’s 8.t is correctly created in the %TMP% folder.\r\n8.t dropped on disk\r\nNow we set a breakpoint at the createFile to check if the shellcode of the exploit reads the file 8.t.\r\nCreateFile is called at call eqnedt32.41E5EE.\r\nThe param of the path of file is pushed on the stack push dword ptr ss:[ebp-4].\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe shellcode uses CreateFile to the 8.t in the %TMP% folder\r\nSo now, we can return of the user code at the calling function.\r\nPress enter or click to view image in full size\r\nAfter a step into, we enter in the shellcode, the address space has changed:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 7 of 23\n\nShellcode of the exploit\r\nAfter CreateFile, GetFileSize is called to have the size of the file\r\nPress enter or click to view image in full size\r\nGet the size of the file\r\nAfter is Virtualloc, and it create a memory page at 1FD0000 (eax value)\r\nPress enter or click to view image in full size\r\nVirtualAlloc memory page to load 8.t\r\nPress enter or click to view image in full size\r\nAfter virtualAlloc, the memory page is pointed by EAX\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 8 of 23\n\nThe page allocated\r\nReadFile is called:\r\nPress enter or click to view image in full size\r\nReadfile 8.t\r\nAnd 8.t is loaded at 1FD0000:\r\nPress enter or click to view image in full size\r\n8.t in memory\r\nAnd the shellcode decrypts the 8.t file in memory at 0066C82A.\r\nThe loop of decryption is a xoring with different manipulations on the decryption key.\r\nAt the start of the decryption the key is set to 7BF48E63.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 9 of 23\n\nDecryption loop\r\nAnd the xor is made after key manipulation.\r\nPress enter or click to view image in full size\r\nSet the decryption key in EAX\r\nIf we check the destination of the result of the xoring (here edx + ebx), we find 01FD0000 where 8.t is loaded.\r\nAfter two step of the loop, we can see the magic number MZ set at the begin of memory section.\r\nMZ magic number\r\nAt the end of the decryption loop, we have a PE in memory at 01FD0000.\r\nthe file 8.t has been decrypted.\r\n8.t fully decrypted\r\nThen, the shellcode uses the VirtualAlloc and create a memory page at 02070000.\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 10 of 23\n\nPress enter or click to view image in full size\r\nAnd the new PE at 01FD0000 is copied at this address.\r\nPress enter or click to view image in full size\r\nthe PE decrypted is copied in the new memory page\r\nAfter GetModuleFileNameA is called to have the path of EQNEDT32.exe\r\nAnd EQNEDT32.exe is forked in suspend status by a CreateProcess and the shellcode overwrite it by the PE at\r\nthe address 02070000\r\nPress enter or click to view image in full size\r\nFork of EQNEDT32.exe\r\nPress enter or click to view image in full size\r\nOverwritting of EQNEDT32.exe\r\nStack used by NTWriteVirtualMemory\r\nAnd the shellcode does a ResumeThread to launch the new PE.\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 11 of 23\n\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSo, We’ve found all API Calls in the object ole at the beginning and we have a runPE to launch the new\r\nEQNEDT32.exe overwritten.\r\nAnalysing the fork of EQNEDT32.exe\r\nWe know that this process has to create on disk two files following the Joe SandBox Analysis:\r\nA dll named RasTls.dll\r\nA executable file named dascgosrky.exe\r\nIf we dump EQNEDT32.exe and we put in IDA, we found quickly the function that drops the files on disk\r\n(sub_00401150) renamed dropFiles.\r\nPress enter or click to view image in full size\r\nDropFiles Fucntion\r\nAnd at the start of this functions, we have a loop with a xor.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 12 of 23\n\nSecond loop of decryption\r\nAnd just after we have a call of the decompression function.\r\nPress enter or click to view image in full size\r\nDecompression function used zlib\r\nThe function dropFiles is called twice by the sub_4012D0.\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 13 of 23\n\nDrop the dll and the executable\r\nIf we check the call graph, DropFiles is called only by the function sub_4012D0.\r\nFunctions using DropFiles function\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 14 of 23\n\nSo we set a breakpoint on CreateFile because at each execution, EQNEDT32.exe starts by CreateFile\r\nonstaticcache.dat.\r\nPress enter or click to view image in full size\r\nBreakpoint to createfile\r\nAnd we return at the user code to set a new breakpoint to check the static analysis.\r\nSo we set a breakpoint at 0040159A when DropFiles is called.\r\nPress enter or click to view image in full size\r\nBreakpoint to the first call of DropFiles\r\nAnd now we can analyse the second loop of decryption.\r\nThe first step is the initialization of the decryption function.\r\nPress enter or click to view image in full size\r\nSet for the second loop encryption\r\nAnd after we find the xor and store the result in esi+eax.\r\nDecryption loop\r\nIn the first step of the decryption loop, the result is written to 411BC0 in the address space of EQNEDT32.exe.\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 15 of 23\n\nBefore the decryption\r\nAfter tree loops, we obtains the header of zlib compressed object.\r\nAfter the decryption\r\nAnd at the memory page 021E0000, a PE is decompressed.\r\nPage memory allocated to store the dll\r\nPress enter or click to view image in full size\r\nAfter decompression\r\nAnd after the file is created with the following path:\r\nL”C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Network Shortcuts\\\\RasTls.dll”\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 16 of 23\n\nStored by ebx.\r\nDropFiles is called a twice to decrypt and decompress the executable file.\r\nThe offset where store the file is 00434EF8 and the pe decompressed is stored at 025D0020\r\nPress enter or click to view image in full size\r\nDecryption of the executable dascgosrky.exe\r\nAnd the path of the new file is : ebx=005DA228\r\nL”C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Network Shortcuts\\\\dascgosrky.exe”\r\nSo we have two files in networks shortcuts of Windows.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 17 of 23\n\nFiles drops on disk\r\ndll hijacking\r\nDascgosrky.exe is a legit and trusted software develop by Symantec.\r\nTo load the library RasTls.dll, the executable calls LoadLibrary and GetProcaddress in sub_401940 to execute the\r\nmalicious functions\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 18 of 23\n\nDascgosrky.exe loading the malicious\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 19 of 23\n\nThe original file\r\nIf we check the exports in IDA, we just have a dllentrypoint. The dll is executed like this.\r\nWe’ll analyse the RAT in the second Part.\r\nInfrastructure of Attackers\r\nThe domain contacted is wouderfulu.impresstravel.ga and this domain resolved on 192.99.181.14.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 20 of 23\n\nDomain wouderfulu.impresstravel.ga\r\nThis IP has differents domains found with PassiveTotal and theses domains is recorded in the IP 176.223.165.122.\r\nMany domain names is used for Vietnameses people.\r\nPress enter or click to view image in full size\r\nExpansion of domains\r\nThere are two domains really interesting:\r\nHalong.dulichculao.com is already used in the campaign targeting Vietnameses organizations.\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 21 of 23\n\nFor Fortinet is the Chinese hacking group 1937CN.\r\nIf we compare the TTPs, it’s really similar. They used RTFs to make the intrusion and dll hijacking to load the real\r\npayload.\r\nAnd the name of domains are really similar between the campaings.\r\nThe second one is:\r\nCat.toonganuh.com is a subdomain of tooganuh.com recorded by florence1972@scryptmail.com\r\nConclusion\r\nThe Chinese hacking group 1937CN continues to target Vietnam officials with the same TTPs with a refreshing on\r\nthe tools used. The toolset used by this group to create RTF malicious document has the same properpy of the\r\nSideWinder.\r\nI want to thank my buddies on “Zone de Confort”. It’s with this dreamteam, I can finalize correctly this analyses.\r\nIn the second part, we analyze the RAT using in this campaign. Or if another reverse can make that, I’ll paid a\r\nbeer ;)\r\nIOCs for the paper:\r\ndomains:\r\ndn.dulichbiendao.org\r\ngateway.vietbaotinmoi.com\r\nweb.thoitietvietnam.org\r\nhn.dulichbiendao.org\r\nhalong.dulichculao.com\r\ncat.toonganuh.com\r\nnew.sggpnews.com\r\ndulichculao.com\r\ncoco.sodexoa.com.\r\nthoitiet.malware-sinkhole.net\r\nwouderfulu.impresstravel.ga\r\ntoonganuh.com\r\ncoco.sodexoa.com\r\nIPs:\r\n192.99.181.14\r\n176.223.165.122\r\nRTFs:\r\n42162c495e835cdf28670661a53d47d12255d9c791c1c5653673b25fb587ffed\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 22 of 23\n\n8.t:\r\n2c60d4312e4416745e56048ee35e694a79e1bc77e7e4d0b5811e64c84a72d2d7\r\nPE:\r\nf9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68 (exe)\r\n9f5da7524817736cd85d87dae93fdbe478385baac1c0aa3102b6ad50d7e5e368 (dll)\r\nUpdate:\r\nThe payload is PlugX. Thanks to Gabor Szappanos\r\nhttps://twitter.com/GaborSzappanos/status/1024622354582908928\r\nUpdate IOCs:\r\n597c0c6f397eefb06155abdf5aa9a7476c977c44ef8bd9575b01359e96273486 59.rtf\r\n11f38b6a69978dad95c9b1479db9a8729ca57329855998bd41befc364657d654 RasTls.dll\r\nf9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68 RasTls.exe\r\nb70069e1c8e829bfd7090ba3dfbf0e256fc7dfcefc6acafb3b53abcf2caa2253 b7.rtf\r\n77361b1ca09d6857d68cea052a0bb857e03d776d3e1943897315a80a19f20fc2 spoolsver.exe\r\n9fba998ab2c1b7fec39da9817b27768ba7892c0613c4be7c525989161981d2e2 vsodscpl.dll\r\n9d239ddd4c925d14e00b5a95827e9191bfda7d59858f141f6f5dcc52329838f0 9d.rtf\r\n087d8bee1db61273a7cd533d52b63265d3a8a8b897526d7849c48bcdba4b22ec RasTls.dll\r\nf9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68 RasTls.exe\r\n332aa26d719a20f3a26b2b00a9ca5d2e090b33f5070b057f4950d4f088201ab9 rtf\r\n93aa353320a8e27923880401a4a0f3760374b4d17dcd709d351e612d589b969d vsodscpl.dll\r\n77361b1ca09d6857d68cea052a0bb857e03d776d3e1943897315a80a19f20fc2 ScnCfg.exe\r\nSource: https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nhttps://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?" ], "report_names": [ "malicious-document-targets-vietnamese-officials-acb3b9d8b80a?" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434316, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9de4109c60d0abbf4d986815169f04a78ceaf101.pdf", "text": "https://archive.orkl.eu/9de4109c60d0abbf4d986815169f04a78ceaf101.txt", "img": "https://archive.orkl.eu/9de4109c60d0abbf4d986815169f04a78ceaf101.jpg" } }