14 DAY TRIAL // Google's Security Team warned yesterday that a computer trojan of Vietnamese origin is used to attack individuals voicing their disapproval over recent politics in the country. The malware was discovered during the investigation into Operation Aurora and its creators might have ties with the Vietnamese government.
"While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country," reports Neel Mehta on Google Security Team's blog.
Meanwhile, George Kurtz, chief technology officer at security giant McAfee, notes that his company identified this new threat while investigating the recent attack on Google and 30 other top U.S. companies, also known as Operation Aurora. McAfee security researchers originally thought this trojan was part of the same attack, however, they have since isolated it as a separate and unrelated malware dubbed W32/VulcanBot.
The trojan masquerades as a popular Vietnamese keyboard driver called VPSKeys and developed by the Vietnamese Professionals Society (VPS). The antivirus vendor believes that attackers compromised the vps.org website, replaced the legit package with the trojan installer, then encouraged the unsuspected victims to download and install it via email.
Once installed on a system, the malware connects to multiple command and control servers in order to receive instructions. McAfee's investigation revealed that these servers are mainly accessed by IP addresses in Vietnam.
Even though this threat is less sophisticated than the piece of malware used in Operation Aurora, giving its purpose to silence activists, ties to the Vietnamese government are not excluded. "We believe that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam," wrote Kurtz on the company's Security Insights blog.
McAfee's technical analysis of this malware reveals that it bears a striking resemblance to a trojan recently reported by researchers from Vietnamese antivirus vendor Bach Khoa Internetwork Security (BKIS), which masquerades as Adobe Reader or Java Update components. We have contacted BKIS about this similarity and we will update this article with their response.