Chinese Cyberespionage Campaign Used Another BackdoorBitdefender: Naikon Targeted Military Organizations in Southeast Asia
A Chinese advanced persistent threat group known as Naikon deployed a new malware backdoor to wage a lengthy cyberespionage campaign against military organizations in Southeast Asia, security firm Bitdefender reports.
The group used the new backdoor Nebulae to achieve persistence on a network. It used Aria-Body loader for the initial compromise and switched to using the RainyDay backdoor for initial compromise in September 2020, researchers say. The APT group also deployed data exfiltration tools.
The cyberespionage campaign was conducted between June 2019 and March 2021, Bitdefender reports. "Our research confidently points to an operation conducted by the Naikon group based on the extraction of the C&C [command-and-control] addresses from Nebulae samples. The particular domain dns.seekvibega.com obtained from such a sample points to the Naikon infrastructure."
Using the RainyDay backdoor, the group "performed reconnaissance, uploaded its reverse proxy tools and scanners, executed the password dump tools, performed lateral movement, achieved persistence, all to compromise the victims’ network and to get to the information of interest," the Bitdefender report notes.
RainyDay achieved persistence by mimicking legitimate applications or by automatically setting the binaries themselves. The malware then deployed Nebulae, to help maintain persistence, the report adds. Nebulae also can retrieve local drive information, move and delete files and communicate with the command-and-control server.
Once the backdoors were installed, Bitfender says, the attackers deployed:
- Sbiedll.dll, an exfiltration tool that collected recently changed files with a specific extension and uploaded them to Dropbox.
- QuarksPwDump, a credential harvesting tool that obtained local passwords and domain cached credentials.
- Net.exe and Ping.exe, network tools used to check if a machine is up and running and then achieve lateral movement by running a command using wmic.exe on a remote machine.
Naikon was first identified by Kaspersky researchers in 2015. At the time, analysts noted that the hackers, who appeared to be Chinese-speaking, were mainly targeting government agencies, as well as civilian and military organizations, in countries throughout Southeast Asia and the South China Sea. Kaspersky noted at the time: “The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t discovered any exact matches.”
According to a 2015 report by ThreatConnect, Naikon is associated with a Chinese military unit - the People’s Liberation Army Chengdu Military Region Second Technical Reconnaissance Bureau Military Unit Cover Designator 78020, shortened to PLA Unit 78020.
After Kaspersky issued its report on Naikon, the group's activities appeared to stop.
Then in May 2020, the security firm Check Point reported that the group was deploying a new type of remote access Trojan called Aria-body as a backdoor into government networks in the Asia-Pacific region (see: APT Group Wages 5-Year Cyber-Espionage Campaign: Report).