29 April 2021

Naikon APT deploys new backdoor in attacks against military orgs in Southeast Asia


Naikon APT deploys new backdoor in attacks against military orgs in Southeast Asia

A China-linked cyber-espionage group has deployed a new backdoor in attacks targeting military organizations located in Southeast Asia with the goal of collecting data.

The culprit behind the attacks has been identified as Naikon, a threat actor known for targeting organizations from multiple countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand. The group, which has been active since at least 2010, is mainly focused on high-profile organizations, including government entities and military orgs.

During the campaign, which was conducted between June 2019 and March 2021, the hacker group abused legitimate software to side-load the second-stage backdoor dubbed Nebulae that allowed attackers to collect system information, manipulate files and folders, download files from the command-and-control server, and execute, list, or terminate processes on compromised devices.

“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,” according to researchers at Bitdefender's Cyber Threat Intelligence Lab.

In the observed attacks the Nebulae malware was used as the first stage of the attack along with the Aria-Body loader. Nebulae was discovered while analyzing the main instrument used in this operation, the RainyDay backdoor through which several other custom-made or public tools were brought during the attack life cycle.

The RainyDay backdoor allowed the threat actor to perform reconnaissance, upload reverse proxy tools and scanners, execute the password dump tools, perform lateral movement, achieve persistence, and to get to the information of interest.

The researchers attributed this cyber-espionage campaign to the Naikon hacker group based on command-and-control servers and malicious payloads belonging to the Aria-Body loader malware family used in Naikon's past attacks.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021