APT malware intrusion alert intentionally to banks and national organizations

In the morning of 23/7/2018, VNCERT has ordered coordination, warning number 234 / VNCERT-ĐPƯC, to advised the banks and several key national organizations have active solutions to prevent cyber attack.

With this intentional attack, hackers have learned about their victims and performed fraud actions, combining with professional and high-tech actions to overcome protection system of banks and organizations. Their main intention is to taking users’ computer control rights, therefore creating a continuous attack to internal servers to stealing important information.

The main purpose of hackers is to steal fundamental information from banks and important national infrastructure organizations. With the use of high-tech attacks, the bank’s protection systems or critical infrastructure will difficult to detect in time, and at the same time help hackers maintain control of the information system.

Below is the guide how to examine MD5, SHA-1 code of the files and how to erase files contained malware (from VNCERT):

Hướng dẫn kiểm tra mã MD5, SHA-111

1. How to examine two codes MD5, SHA-1:

a) Download the examination software at: http://www.nirsoft.net/utils/hashmyfiles.zip (other credited examination software are allowed)
b) Checking: Extract the above file hashmyfiles.zip, then open the file ‘’HashMyFiles.exe’’. Left-click at File -> Add Files; then select the file that needs to examine. MD5 and SHA-1 codes will appear at the side of the screen. Perform a corresponding MD5 and SHA-1 collation in the accompanying document and follow step 2 for instructions on removing the file.

2. How to remove the files contained malware:

a) Confirming the malware: If the MD5 and SHA-1 codes overlap, the file on the computer is malware. If it’s not identical then cannot confirmed 100% that it is not malicious. It may not delete in this case but it needs to extract the file and perform an in-depth analysis. For computers containing malicious files, they should be immediately isolated and reported to VNCERT.
b) How to delete malicious files: Since this file is being executed, it is necessary to stop or shutdown this process before deleting. First, download the free software called “Process Explorer” from Microsoft at the address: https://download.sysinternals.com/files/ProcessExplorer.zip
Extract the file, then run the file ‘’procexp.exe’’.
– Proceed to find the corresponding process in the above document and right-click select Properties, in the Explore to open the path of the file, Autostart Location folder to display the location of the Registry values that malicious code created or change the value.
– Extract these suspicious or malicious files by clicking Create Dump, copy compressing and hard-coding the executable file to serve the investigation.
– Search for the corresponding process in the above and right click on “Suspend” or “Kill Process”.
Once you have made your selection, go to the corresponding path for deletion. Check for Registry values that have been created or changed and deleted.