Naikon, a cyberespionage group from China, has been actively employing a new backdoor for multiple cyberespionage operations targeting military organizations in Southeast Asia. The backdoor, identified as Nebulae, is used for gaining persistence on infected systems.
What has been discovered?
At the beginning of its operation in 2019, the APT had used the Aria-Body loader and Nebulae as the first stage of the attack.Starting September 2020, the APT group included the RainyDay backdoor in its toolkit, while the attribution to Naikon is based on C2 servers and artifacts utilized in its attacks.
The APT group now delivers RainyDay (aka FoundCore) as a first-stage payload to propagate second-stage malware and tools, including the Nebulae backdoor.
About Nebulae
It has the ability to collect LogicalDrive info, manipulate files and folders, download and upload files from and to the C2 server, and terminate/list/execute processes on infected devices.
In addition, the malware adds a registry key that automatically runs the malicious code on system reboots after login. It is used as a backup access point for the victim in case of an adverse scenario for actors.
Additional insights
Naikon targeted several organizations located in various countries around the South China Sea, such as Malaysia, Singapore, Indonesia, Thailand, and the Philippines. It focuses on government and military entities.
Bitdefender experts disclosed a long-running campaign linked with the APT group. Additionally, the group mostly uses the DLL hijacking technique to execute its malicious code.
The APT group abuses legitimate software, as well such as VirusScan (McAfee), Sandboxie COM Services (SANDBOXIE L.T.D), Outlook Item Finder (Microsoft), and Mobile Popup Application (Quick Heal).
