Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs

Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs

China-linked APT Naikon employed a new backdoor in multiple cyber-espionage operations targeting military organizations from Southeast Asia in the last 2 years.

The Naikon APT group is a China-linked cyber espionage group that has been active at least since 2010 and that remained under the radar since 2015 while targeting entities in Asia-Pacific (APAC) region.

Organizations targeted by the group were located in multiple countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand.

The Naikon APT group mainly focuses on high-profile orgs, including government entities and military orgs.

Naikon made large use of DLL hijacking to execute the malicious code, while investigating sideloading techniques Bitdefender experts uncovered a long-running campaign associated with the NAIKON cyberespionage group.

Legitimate software abused by threat actors are:

  • ARO 2012 Tutorial
    • VirusScan On-Demand Scan Task Properties (McAfee, Inc.)
    • Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D)
    • Outlook Item Finder 11.0.5510 (Microsoft Corporation)
    • Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.)

Unlike previous operations carried out by the group, in the latest attack, the APT employed a secondary backdoor, tracked Nebulae, to gain persistence on the infected systems.

“The malicious activity was conducted between June 2019 and March 2021. In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack. From our observations, starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit.” reads the report published by Bitdefender.

The attribution to the Naikon threat actor is based on command-and-control servers and artifacts employed in the attacks.

The malware gains persistence by adding a new registry key to automatically execute the malicious code on system restarts after login.

Nebulae supports common backdoor capabilities, including the abilities to collect LogicalDrive information, manipulate files and folders, download and upload files from and to the command-and-control server, list/execute/terminate processes on compromised devices.

“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,” continues Bitdefender.

The Naikon APT also delivered a first-stage payload tracked as RainyDay (aka FoundCore) used to deploy second-stage malware and tools, including the Nebulae backdoor.

The RainyDay backdoor was used to perform reconnaissance, upload its reverse proxy tools and scanners, execute the password dump tools, perform lateral movements, and achieve persistence.

The report published by the Bitdefender includes Indicators of Compromise (IoCs) related to the above attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook.

Pierluigi Paganini AuthorPierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.