For the last five years, an advanced group of Chinese hackers has been launching cyber espionage operations against government entities in the Asia-Pacific (APAC) region in search of geopolitical intelligence, according to a new report from Check Point Research.
Based on gathered evidence, the researchers attributed the attacks to the Naikon APT group, which disappeared off radars in 2015 when a report revealed the APT group’s infrastructure and even exposed one of the group’s members. However, the group had not gone silent, as initially suspected, but instead has been attacking government entities in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei using a new stealthy backdoor dubbed Aria-body.
The victims include ministries of foreign affairs, science and technology ministries, as well as government-owned companies.
“Given the characteristics of the victims and capabilities presented by the group, it is evident that the group’s purpose is to gather intelligence and spy on the countries whose Governments it has targeted. This includes not only locating and collecting specific documents from infected computers and networks within government departments, but also extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage,” the researchers said.
“And if that wasn’t enough, to evade detection when accessing remote servers through sensitive governmental networks, the group compromised and used servers within the infected ministries as command and control servers to collect, relay and route the stolen data,” Check Point added.
Researchers observed several different infection chains being used to deliver the Aria-body backdoor. They first came across the campaign in an email, purporting to be sent from a government embassy in the APAC region, sent to the Australian government. The email contained a document called “The Indians Way.doc.”
The RTF file contained the RoyalRoad exploit builder, an RTF weaponizer shared mostly among Chinese threat actors. The RoyalRoad builder then dropped a loader named intel.wll into the target PC’s Word startup folder. This loader downloaded and executed the next stage payload.
Other observed infection methods include:
-
Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL.
-
Directly via an executable file, which serves as a loader.
Once gaining an initial foothold, the loader then established a connection with a command and control server to download the next-stage Aria-body backdoor payload.
“After getting the C&C domain, the loader contacts it to download the next and final stage of the infection chain. Although it sounds simple, the attackers operate the C&C server in a limited daily window, going online only for a few hours each day, making it harder to gain access to the advanced parts of the infection chain,” the researchers noted.
The Aria-body backdoor incorporates a slew of capabilities, it is able to create and delete files and directories, take screenshots, search for files, gather file metadata, collect system and location information.
“While the Naikon APT group has kept under the radar for the past 5 years, it appears that they have not been idle. In fact, quite the opposite. By utilizing new server infrastructure, ever-changing loader variants, in-memory fileless loading, as well as a new backdoor – the Naikon APT group was able to prevent analysts from tracing their activity back to them,” the research team concluded.