Recently, a group of Chinese hackers were spotted behind a cyber-espionage campaign against the governments of Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei, which has gone unnoticed for at least five years and continues to pose a constant threat.
The Naikon APT group, formerly known as one of the most active APTs in Asia until 2015, has led a series of cyber attacks in the Asia-Pacific region (APT) in search of geopolitical information.
According to Check Point’s latest research report, which the investigators shared with The Hacker News, Naikon’s APT tape has not stood still for the past 5 years, as originally thought, but has used a new back door called aria bodyto work quietly.
Given the characteristics of the victims and the possibilities offered by the group, it is clear that the aim of the group is to gather information and to spy on the countries on which the group focuses, according to the researchers.
In short, Aria-body’s back door is used to gain control of the target organisation’s internal networks, in addition to setting up attacks from one already compromised company to infect another.
This includes not only searching for and collecting specific documents from infected computers and networks in government institutions, but also retrieving removable media, taking screenshots and storing keys, and of course collecting stolen data for espionage purposes.
Geopolitical Intelligence Campaign
Naikon APT, first documented in 2015, uses email cages created as a first vector for attacks on high government agencies, but also for civilian and military organizations that, if detected, install spyware that filters sensitive documents on remote command and control (C2) servers.
Although no new signs of activity have been registered since then, Check Point’s latest investigations shed new light on its activities.
Naikon tried to attack one of our customers posing as a foreign government – they came back on our radar after an absence of five years – and we decided to investigate further, said Lotem Finkelsteen, head of threat intelligence at the checkpoint.
Not only were multiple infection strings used to open the back door of Aria’s body, but the malicious email also contained an RTF file (called The Indians Way.doc) which was infected by the developer of the RoyalBlood exploit which placed the bootloader (intel.wll) in the startup folder of Microsoft Word (%APPDATA%MicrosoftWordSTARTUP).
The RoyalBlood is an RTF weapon that is mainly distributed to Chinese actors who pose a threat. It should be noted that this type of action was linked to a campaign against the Mongolian government institutions called Panda Wikios, which used the current coronavirus epidemic to infiltrate malware with social engineering tricks.
In a separate infection mechanism, the archive files were filled with a legitimate executable file (such as Outlook and Avast Proxy) and a malignant library to reset the downloader on the target system.
Regardless of the method used to determine the starting point, the charger is then connected to the C2 server to charge the next phase of the Aria body from the back of the charge.
After receiving a C&C domain, the sender contacts to download the next and final step in the chain of infection, the researchers found. Although it sounds simple, attackers operate the C&C server in a limited day window and disconnect from the network only a few hours a day, making it difficult to access the advanced parts of the infection chain.
Aria-body RAT, which takes its name from the name aria-body-dllX86.dll given to the malware by its authors, has all the characteristics one would expect from a typical backdoor: Create and delete files and folders, take screenshots, browse files, collect file metadata, collect system and location information, and more.
According to researchers, some newer variants of the Aria TV also have the ability to capture keystrokes and even load other extensions, provided that the back door is actively developed.
In addition to filtering all collected data to the C2 server, the back door listens for additional commands to be executed.
Further analysis of the C2 infrastructure has shown that several domains have been in use for a long time, reusing the same IP address with more than one domain.
To take evasive tactics to the next level, the enemy hacked into the servers of the infected departments and used them as C2 servers to carry out attacks and transfer and forward stolen data, instead of detecting risks when accessing remote servers.
Connection to Nikon APP
According to Cheque Point, the campaign was attributed to Naikon APT, based on similarities in Aria’s body code and Kaspersky’s detailed espionage tool (called XSControl) in 2015, and the use of C2 domains (mopo3[.]net) resolved to the same IP addresses as the latter (myanmartech.vicp[.]net).
Although the APT Naikon group has been in sight for 5 years, it does not seem to have been inactive, the checkpoint has done its job. Actually, it’s the other way around. With a new server infrastructure, ever-evolving bootloader options, file-less memory loading, and a new backdoor, Naikon’s APT group was able to prevent analysts from reaching them.thehackernews,hacker news vulnerability,cyber security news,latest cyber security threats,latest security attacks,hacker daily,the hacker news magazine,hacker blog