Naikon APT, a threat actor with suspected links to the Chinese government, has been behind a wide range of cyberespionage campaigns that mainly target’s military organizations in Southeast Asia for nearly the past two years based on new security research.
The attacks were attributed to the Naikon hacking group by a security research firm. They laid out the changing tactics, procedures, and techniques adopted by the group, including creating two new backdoor tools called Nebulae and RainyDay for their data–stealing campaign missions. The malicious activity was observed to be conducted by the group from June 2019 to March 2021.
At the beginning of the threat actors’ operations, the researchers said they used the Aria body loader and the Nebulae as the first stage of an attack. Then from September onwards, Naikon started to also include the RainyDay backdoor into their toolkit. They have verified that the purpose of their operation and campaign was cyber espionage and data theft.
Naikon, also known as Override Panda, Lotus Panda or Hellsing, has track records of mainly targeting government organizations in the Asia-Pacific (APAC) region looking for geopolitical intelligence.
They were initially assumed gone off the radar when they got exposed last 2015. Evidence emerged last May 2021 when the adversary was discovered using a new backdoor tool called “Aria-body” that stealthily break into targeted networks and uses the compromised infrastructure for a command-and-control or C2 server to launch follow–up attacks against the organization.
The security research firm has identified a new wave of attacks that employed RainyDay as the primary back door with the threat actors to conduct reconnaisance, perform lateral movement across network, exfiltrate sensitive data, and deliver additional payloads. This backdoor is executed through DLL side-loading, a technique that is tried and tested to load reprogrammed DLLs in an attempt to hijack the flow of execution of a valid program such as Outlook Item Finder.
The backup strategy of the attack is implanting a second malware called “Nebulae”, aiming to amass system info, carry out file operation commands, and download and upload arbitrary files to and from the hijacked C2 server.
Other capabilities of the RainyDay backdoor include file collection that picks up recently updated files with specified extensions then uploads them to Dropbox, credential harvesting, and various network utilities command like NetBIOS scanners and proxies.
Similar malware was disclosed by another research firm earlier this month, citing the similarities in their functionality and use of DLL side-loading to execute the backdoor. The malware is called FoundCore. This was attributed to a Chinese-speaking threat actor named Cycldek which is part of a cyberespionage campaign against the Vietnam government and its military organizations.