VietNamNet Bridge - An email address ending in “gmail” and a subject line referring to Prime Minister Nguyen Tan Dung’s instructions has been sent to the email account of a newspaper reporter to steal information.


{keywords}

A reporter received an email sent from thuhuyenvpcp@gmail.com (vpcp is automatically interpreted as “van phong chinh phu” or government office). 

There was no content in the body of the email, but there was a file attached under the “.doc” mode with the name coinciding with the email’s subject.

BKAV, the leading internet security firm in Vietnam, has found the email contains malware.

Nguyen Minh Duc, a security expert from FPT Group, said the “.doc” file exploited the vulnerability of Microsoft Word which was made public in April 2014. If users have not updated the patch version for Microsoft Word, when they open the file, malware will be installed on the computer, collect information and send it to a server in the US. 

The subject of the email and the name of the attached file (about a Prime Minister’s conclusion on an issue) raised receivers’ curiosity, especially reporters, and prompted them to open the files to read the content.

According to Duc, this is a way of spreading malware commonly used by hackers. To date, 19 out of the existing 57 antivirus software products can recognize the files as viruses.

BKAV, after analyzing the email, found that the virus hidden in the attached document file was a variation of “Virus Bien Dong” (East Sea virus) which was regulated through the domain registered by a Chinese company.

“Virus Bien Dong” was first heard of in July 2014. A reporter of an online newspaper received an email with an attached file about an important report on protecting territorial waters and airspace.

The attached file was then analyzed by BKAV’s specialists, who said it contained malware called “Virus Bien Dong”.

Anh on June 6 said the two emails sent in July 2014 and June 2015 were likely from the same group of hackers. 

The server that regulated the malware sent in 2014 belonged to dubkill.com, while the server that sent in 2015 was moit.dubkill.com. 

According to Anh, the malware hidden in the email is RAT (Remote Access Trojan) which opens the back door on victims’ devices and allows remote access. 

The virus hidden in the document file was managed through a domain registered by a Chinese company.

The hackers were believed to exploit Microsoft Office’s hole - CVE-2012-0158 - to insert malware into the document file. After users open and download the file, “LMS.exe”, “dbghelp.dll” and “ticrf.rat” will be installed in the devices’ systems.

Buu Dien