FoundCore Malware Description
A new targeted attack campaign conducted by an APT (Advanced Persistent Threat) group with likely ties to China has been uncovered. It is believed the hackers responsible for the operation belong to the Cycldek group (a.k.a. Goblin Panda, APT 27, and Conimes) that has been active since at least 2013. The operation appears to be localized with most of the observed targets being from Vietnam, followed by victims from Central Asia and Thailand. Most of the attacked entities operated in the government and military sectors, but victims were also observed in the diplomacy, healthcare, and education sectors.
The crux of the operation is the delivery of a new espionage remote access Trojan (RAT) named FoundCore. The threat gives the attackers near full control over the compromised system. It can manipulate the file system, start/stop processes, take screenshots, or execute arbitrary commands. When FoundCore is initiated, it creates four different harmful threads, each responsible for a different task. The first one established a persistence mechanism for the threat on the compromised system. The second modifies certain information - the Description of the service, its ImagePath, and DisplayName fields, to make it appear more inconspicuous. Then, the third thread will restrict access to the underlying corrupted files by setting up an empty Discretionary Access Control List (DACL) to the image associated with the current process. The final thread of FoundCore Malware is tasked with establishing communication with the C2 server.
As part of the infection chain, FoundCore delivered two auxiliary pieces of spyware. The first one, DropPhone, is capable of collecting various system information from the infected machine and exfiltrate it to DropBox. The second malware payload was CoreLoader, a threat that executes code designed to make the main malware harder for detection by security products.