New Trojan, Vecebot, Targets Anti-Communist Bloggers

A new family of Trojan Horse programs is being used to stifle political opposition to the Communist Party in Vietnam, according to an analysis by researchers at SecureWorks. The Trojan, dubbed Vecebot, is a new family of malware  and has been linked to distributed denial of service (DDoS) attacks against bloggers who have written critically of the ruling Communist Party and Chinese mining operations in the country, SecureWorks said. 

A new family of Trojan Horse programs is being used to stifle political opposition to the Communist Party in Vietnam, according to an analysis by researchers at SecureWorks. 

The Trojan, dubbed Vecebot, is a new family of malware  and has been linked to distributed denial of service (DDoS) attacks against bloggers who have written critically of the ruling Communist Party and Chinese mining operations in the country, SecureWorks said. 

The targets of the Vecebot botnet, estimated at between 20,000 and 30,000 hosts, include popular Vietnamese blogs and online forums, the analysis found. The release of Vecebot may have been coordinated with what was billed as “Vietnam Blogger Day” on October 19, a coordinated online civil action to celebrate the release of a blogger and political prisoner who used the name Dieu Cay, the SecureWorks analysis said. 

If accurate, the analysis identifies what would be just the latest example of malware attacks that appear to have political, rather than strictly commercial objectives. The SecureWorks analysis points to connections between Vecebot and an earlier Trojan, Vulncanbot which also targeted anti-Communist Web sites in Vietnam with DDoS attacks and other targeted hacks. Domains used for the Vecebot command and control servers are similar to those used in the earlier, Vulcanbot attacks, according to a report by SecureWorks Counter Threat Unit

Politically motivated hacking and malware has become a more prevalent in recent years. Well publicized incidents such as the GhostNet attacks on the Tibetan Government in Exile and the Aurora attacks on Western firms, including Google, seem to have clear, political objectives. At the same time, denial of service attacks have become a staple of cyber offensive strategy

With scant evidence that Vecebot serves any criminal or commercial purposes, SecureWorks says it appears clear that the botnet was created to silence online critics of the Vietnamese political establishment. 

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

Discussion

  • Anonymous on

    The caption shown below the picture in the article is either incorrect or misleading. The webpage shown is the first screen greeting those who visit the website "www.x-cafevn.org". The site uses the "CAPTCHA" tool to verify the visitors are "human" and not machines trying to flood it with DoS attacks. Succesful entry is granted, and contents displayed, when the challenge is correctly solved by entering only those alpha-numeric characters that are underlined.
  • Joe Stewart on

    quote: The site uses the "CAPTCHA" tool to verify the visitors are "human" and not machines trying to flood it with DoS attacks.

    Regardless, that's the page the bot is attempting to break the CAPTCHA for; this is part of the bot's actual code and the specific pages of that CAPTCHA system are targeted in the bot config file. I agree that it doesn't make a lot of sense, unless the site is also deploying packet-level filtering to block IPs who fail the CAPTCHA too many times.

  • Anonymous on

    On the original article posted at secureWorks, there is a paragraph: Although speculation has so far been that the Vulcanbot attacks were orchestrated by the Vietnamese government or the Vietnamese Communist Party, there has been no solid evidence presented that connects anyone in the government or political establishment to the attacks. which is politically reserved. The fact is, all the websites, forums, blogs which are classified as "reactionary" (phan dong) or "not mainstream" (le trai), are actually restricted from viewing from inside Vietnam by one way or another, mostly by firewalls or content filtering systems. Whoever inside Vietnam would like to view these websites, forums or blogs, they must use an anonymous proxy. Interestingly, every time a surge of DDoS happening to these "reactionary" websites, the restrictions from inside Vietnam are temporarily lifted. In Vietnam, these things are controlled by the Communist Government. Therefore, there is no doubt the Communist Vietnamese Government is directly involving in these attacks.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.