Security researchers have released a report detailing activities of a sophisticated cyber espionage group believed to be operating out of China that has been targeting Southeast Asian government institutions over the past few years.
According to Bitdefender, earliest signs of the campaign date back to November 2018, followed by an increase in activity by the Chinese APT group starting early 2019. Since then, the group managed to hack nearly 200 systems, with some clues suggesting that the threat actors gained access to domain controllers from the victim’s network, allowing them to move laterally and potentially gain control over a large number of machines from that infrastructure.
“The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chineseactor. Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese. The FunnyDream backdoor is far more complex than the others, implementing a wide range of persistence mechanism and a large number of droppers, suggesting it’s custom-made,” the researchers said.
The investigation into C&C infrastructure revealed that some of the command and control servers are still remain operational, although the overall attacker-controlled infrastructure used in the attack appears to be inactive.
The researchers said that they have not been able to identify the infection vector, but some evidence indicates that the attacks were carried out via spam emails and social engineering techniques.
“Following the killchain, the first trace we observed was the execution of Chinoxy backdoor, whose role was to gain persistence in the victim’s system after initial access. Although Chinoxy acts as the main backdoor, we observed another component deployed by Chinoxy – it’s an open source Chinese RAT called PcShare. Both Chinoxy and PcShare have a persistence mechanism, first backdoor being copied to startup folder and the second one hijacking a COM object (MruPidlList). To evade detection, the Chinoxy dropper uses a digitally signed binary (Logitech Blutooth Wizard Host Process) vulnerable to Side Loading to load the backdoor dll into memory,” the report said.
As for the FunnyDream backdoor, it was delivered to compromised machines mainly as a DLL, but also as an executable in some instances. Some of its capabilities include information gathering and exfiltration, cleaning after itself, evasion detection, and command execution.
The malware is equipped with various components for performing actions such as file collection (Filepak and FilePakMonitor), taking screenshots (ScreenCap), logging keystrokes (Keyrecord), accessing internal networks (TcpBridge), and bypassing network restrictions (TcpTransfer).
“While having a C&C infrastructure based in the same region as the victims isn’t usually considered a sign that attackers share the same geographical region, the internet infrastructure within that particular region is highly restrictive. It’s likely that relying on a locally deployed C&C infrastructure would bring several advantages to the APT group. For instance, it could be easier to manage and control, while at the same time the C&C IPs wouldn’t be flagged as suspicious, as they would be part of the same regional internet infrastructure. Opting for a command and control infrastructure deployed anywhere else in the world would have potentially raised some security alarms. During this analysis, some forensic artefacts seem to suggest a Chinese-speaking APT group, as some of the resources found in several binaries had a language set to Chinese, and the Chinox,” Bitdefender noted.