{"id":10519,"date":"2025-10-17T13:26:15","date_gmt":"2025-10-17T06:26:15","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10519"},"modified":"2026-02-05T13:26:34","modified_gmt":"2026-02-05T06:26:34","slug":"nhom-hacker-mysterious-elephant-nham-muc-tieu-vao-cac-co-quan-chinh-phu-chau-a","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/17\/nhom-hacker-mysterious-elephant-nham-muc-tieu-vao-cac-co-quan-chinh-phu-chau-a\/","title":{"rendered":"Nh\u00f3m hacker \u201cMysterious Elephant\u201d nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 ch\u00e2u \u00c1"},"content":{"rendered":"

Trong nh\u1eefng th\u00e1ng g\u1ea7n \u0111\u00e2y, gi\u1edbi an ninh m\u1ea1ng ph\u00e1t hi\u1ec7n m\u1ed9t nh\u00f3m tin t\u1eb7c m\u1edbi mang t\u00ean Mysterious Elephant, \u0111ang \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda \u0111\u00e1ng g\u1eddm trong khu v\u1ef1c ch\u00e2u \u00c1 – Th\u00e1i B\u00ecnh D\u01b0\u01a1ng.<\/b><\/p>\n

\"8d5345df20f4adaaf4e5.jpg\"<\/a>\u200b<\/div>\n

Theo nh\u00f3m nghi\u00ean c\u1ee9u, nh\u00f3m n\u00e0y \u0111\u00e3 li\u00ean t\u1ee5c ph\u00e1t tri\u1ec3n c\u00f4ng c\u1ee5 t\u1ea5n c\u00f4ng c\u1ee7a m\u00ecnh t\u1eeb n\u0103m 2023 \u0111\u1ebfn nay, t\u1eadp trung v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 v\u00e0 t\u1ed5 ch\u1ee9c ngo\u1ea1i giao v\u1edbi m\u1ee5c ti\u00eau thu th\u1eadp th\u00f4ng tin m\u1eadt v\u00e0 duy tr\u00ec quy\u1ec1n truy c\u1eadp l\u00e2u d\u00e0i.<\/p>\n

C\u00e1c chi\u1ebfn d\u1ecbch ban \u0111\u1ea7u c\u1ee7a Mysterious Elephant c\u00f3 v\u1ebb \u0111\u01a1n gi\u1ea3n, nh\u01b0 s\u1eed d\u1ee5ng email gi\u1ea3 m\u1ea1o \u0111\u1ec3 g\u1eedi t\u00e0i li\u1ec7u Office c\u00f3 m\u00e3 \u0111\u1ed9c. Tuy nhi\u00ean, \u0111\u1ebfn n\u0103m 2025, k\u1ef9 thu\u1eadt c\u1ee7a h\u1ecd \u0111\u00e3 \u0111\u01b0\u1ee3c n\u00e2ng c\u1ea5p \u0111\u00e1ng k\u1ec3.<\/p>\n

Khi n\u1ea1n nh\u00e2n m\u1edf t\u00e0i li\u1ec7u, tin t\u1eb7c khai th\u00e1c l\u1ed7 h\u1ed5ng CVE-2017-11882 trong tr\u00ecnh so\u1ea1n th\u1ea3o c\u00f4ng th\u1ee9c c\u1ee7a Microsoft Office. \u0110\u00e2y l\u00e0 l\u1ed7i \u0111\u00e3 t\u1ed3n t\u1ea1i t\u1eeb l\u00e2u nh\u01b0ng v\u1eabn c\u00f2n hi\u1ec7u qu\u1ea3 v\u00ec nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng v\u00e0 t\u1ed5 ch\u1ee9c ch\u01b0a c\u1eadp nh\u1eadt b\u1ea3n v\u00e1. Ngay sau khi l\u1ed7 h\u1ed5ng b\u1ecb khai th\u00e1c, t\u00e0i li\u1ec7u s\u1ebd t\u1ef1 \u0111\u1ed9ng k\u00edch ho\u1ea1t l\u1ec7nh PowerShell \u0111\u1ec3 t\u1ea3i xu\u1ed1ng m\u1ed9t m\u00e3 \u0111\u1ed9c t\u00ean l\u00e0 BabShell, \u0111\u01b0\u1ee3c xem l\u00e0 c\u00f4ng c\u1ee5 n\u1ec1n t\u1ea3ng c\u1ee7a nh\u00f3m. BabShell ho\u1ea1t \u0111\u1ed9ng \u00e2m th\u1ea7m, gi\u00fap tin t\u1eb7c c\u00e0i \u0111\u1eb7t th\u00eam c\u00e1c th\u00e0nh ph\u1ea7n kh\u00e1c m\u00e0 kh\u00f4ng \u0111\u1ec3 l\u1ea1i d\u1ea5u v\u1ebft tr\u00ean \u1ed5 \u0111\u0129a.<\/p>\n

Sau b\u01b0\u1edbc \u0111\u1ea7u x\u00e2m nh\u1eadp, Mysterious Elephant tri\u1ec3n khai tr\u00ecnh n\u1ea1p th\u1ee9 hai l\u00e0 MemLoader HidenDesk (m\u1ed9t c\u00f4ng c\u1ee5 \u0111\u01b0\u1ee3c ti\u00eam th\u1eb3ng v\u00e0o b\u1ed9 nh\u1edb, gi\u00fap \u1ea9n ho\u1ea1t \u0111\u1ed9ng kh\u1ecfi ph\u1ea7n m\u1ec1m di\u1ec7t virus v\u00e0 gi\u1ea3m d\u1ea5u v\u1ebft ph\u00e1p y).<\/p>\n

Khi ho\u1ea1t \u0111\u1ed9ng, m\u00e3 \u0111\u1ed9c n\u00e0y c\u00e0i \u0111\u1eb7t ph\u1ea7n m\u1ec1m \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa RAT, cho ph\u00e9p tin t\u1eb7c ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng, di chuy\u1ec3n sang c\u00e1c m\u00e1y kh\u00e1c trong m\u1ea1ng n\u1ed9i b\u1ed9 v\u00e0 thu th\u1eadp d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m. M\u1ee5c ti\u00eau ch\u00ednh c\u1ee7a nh\u00f3m l\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u WhatsApp, bao g\u1ed3m: T\u00e0i li\u1ec7u, h\u00ecnh \u1ea3nh, t\u1ec7p l\u01b0u tr\u1eef… D\u1eef li\u1ec7u b\u1ecb m\u00e3 h\u00f3a s\u01a1 b\u1ed9 b\u1eb1ng XOR r\u1ed3i g\u1eedi v\u1ec1 m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2), th\u00f4ng qua c\u00e1c t\u00ean mi\u1ec1n ng\u1ee5y trang nh\u01b0: Storycentral.net ho\u1eb7c monsoonconference.com, khi\u1ebfn l\u01b0u l\u01b0\u1ee3ng n\u00e0y tr\u00f4ng nh\u01b0 ho\u1ea1t \u0111\u1ed9ng web b\u00ecnh th\u01b0\u1eddng.<\/p>\n

Chi\u1ebfn d\u1ecbch n\u00e0y th\u1ec3 hi\u1ec7n s\u1ef1 tinh vi v\u00e0 ki\u00ean tr\u00ec \u0111\u1eb7c tr\u01b0ng c\u1ee7a c\u00e1c nh\u00f3m APT (Advanced Persistent Threat). Vi\u1ec7c s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 m\u00e3 ngu\u1ed3n m\u1edf, k\u1ebft h\u1ee3p v\u1edbi m\u00e3 \u0111\u1ed9c t\u1ef1 vi\u1ebft cho th\u1ea5y Mysterious Elephant c\u00f3 tr\u00ecnh \u0111\u1ed9 k\u1ef9 thu\u1eadt cao v\u00e0 hi\u1ec3u s\u00e2u v\u1ec1 c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt doanh nghi\u1ec7p. Ph\u1ea1m vi t\u1ea5n c\u00f4ng hi\u1ec7n \u0111\u01b0\u1ee3c ghi nh\u1eadn ch\u1ee7 y\u1ebfu l\u00e0 c\u00e1c c\u01a1 quan nh\u00e0 n\u01b0\u1edbc, t\u1ed5 ch\u1ee9c ngo\u1ea1i giao v\u00e0 l\u0129nh v\u1ef1c t\u00e0i ch\u00ednh v\u00e0 \u0111\u1ed3ng th\u1eddi ch\u00fang quan t\u00e2m t\u1edbi to\u00e0n b\u1ed9 khu v\u1ef1c t\u1ea1i ch\u00e2u \u00c1 – Th\u00e1i B\u00ecnh D\u01b0\u01a1ng.<\/p>\n

N\u1ebfu kh\u00f4ng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n s\u1edbm, nh\u00f3m n\u00e0y c\u00f3 th\u1ec3 duy tr\u00ec quy\u1ec1n truy c\u1eadp trong nhi\u1ec1u th\u00e1ng, thu th\u1eadp th\u00f4ng tin chi\u1ebfn l\u01b0\u1ee3c ho\u1eb7c l\u00e0m b\u00e0n \u0111\u1ea1p cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u1ebfp theo.<\/p>\n

\u0110\u1ec3 h\u1ea1n ch\u1ebf nguy c\u01a1 t\u1eeb c\u00e1c chi\u1ebfn d\u1ecbch nh\u01b0 Mysterious Elephant, c\u00e1c t\u1ed5 ch\u1ee9c n\u00ean:<\/p>\n