18 November 2020

Chinese APT targets Southeast Asian governments


Chinese APT targets Southeast Asian governments

Security researchers have released a report detailing activities of a sophisticated cyber espionage group believed to be operating out of China that has been targeting Southeast Asian government institutions over the past few years.

According to Bitdefender, earliest signs of the campaign date back to November 2018, followed by an increase in activity by the Chinese APT group starting early 2019. Since then, the group managed to hack nearly 200 systems, with some clues suggesting that the threat actors gained access to domain controllers from the victim’s network, allowing them to move laterally and potentially gain control over a large number of machines from that infrastructure.

“The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chineseactor. Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese. The FunnyDream backdoor is far more complex than the others, implementing a wide range of persistence mechanism and a large number of droppers, suggesting it’s custom-made,” the researchers said.

The investigation into C&C infrastructure revealed that some of the command and control servers are still remain operational, although the overall attacker-controlled infrastructure used in the attack appears to be inactive.

The researchers said that they have not been able to identify the infection vector, but some evidence indicates that the attacks were carried out via spam emails and social engineering techniques.

“Following the killchain, the first trace we observed was the execution of Chinoxy backdoor, whose role was to gain persistence in the victim’s system after initial access. Although Chinoxy acts as the main backdoor, we observed another component deployed by Chinoxy – it’s an open source Chinese RAT called PcShare. Both Chinoxy and PcShare have a persistence mechanism, first backdoor being copied to startup folder and the second one hijacking a COM object (MruPidlList). To evade detection, the Chinoxy dropper uses a digitally signed binary (Logitech Blutooth Wizard Host Process) vulnerable to Side Loading to load the backdoor dll into memory,” the report said.

As for the FunnyDream backdoor, it was delivered to compromised machines mainly as a DLL, but also as an executable in some instances. Some of its capabilities include information gathering and exfiltration, cleaning after itself, evasion detection, and command execution.

The malware is equipped with various components for performing actions such as file collection (Filepak and FilePakMonitor), taking screenshots (ScreenCap), logging keystrokes (Keyrecord), accessing internal networks (TcpBridge), and bypassing network restrictions (TcpTransfer).

“While having a C&C infrastructure based in the same region as the victims isn’t usually considered a sign that attackers share the same geographical region, the internet infrastructure within that particular region is highly restrictive. It’s likely that relying on a locally deployed C&C infrastructure would bring several advantages to the APT group. For instance, it could be easier to manage and control, while at the same time the C&C IPs wouldn’t be flagged as suspicious, as they would be part of the same regional internet infrastructure. Opting for a command and control infrastructure deployed anywhere else in the world would have potentially raised some security alarms. During this analysis, some forensic artefacts seem to suggest a Chinese-speaking APT group, as some of the resources found in several binaries had a language set to Chinese, and the Chinox,” Bitdefender noted.

Back to the list

Latest Posts

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020
Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

In the latest campaign the treat actor was observed using updated toolset in order to evade detection.
25 November 2020