Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs

Pierluigi Paganini April 28, 2021

China-linked APT Naikon employed a new backdoor in multiple cyber-espionage operations targeting military organizations from Southeast Asia in the last 2 years.

The Naikon APT group is a China-linked cyber espionage group that has been active at least since 2010 and that remained under the radar since 2015 while targeting entities in Asia-Pacific (APAC) region. 

Organizations targeted by the group were located in multiple countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand.

The Naikon APT group mainly focuses on high-profile orgs, including government entities and military orgs.

Naikon made large use of DLL hijacking to execute the malicious code, while investigating sideloading techniques Bitdefender experts uncovered a long-running campaign associated with the NAIKON cyberespionage group.

Legitimate software abused by threat actors are:

• ARO 2012 Tutorial 8.0.12.0
• VirusScan On-Demand Scan Task Properties (McAfee, Inc.)
• Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D)
• Outlook Item Finder 11.0.5510 (Microsoft Corporation)
• Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.)

Unlike previous operations carried out by the group, in the latest attack, the APT employed a secondary backdoor, tracked Nebulae, to gain persistence on the infected systems.

“The malicious activity was conducted between June 2019 and March 2021. In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack. From our observations, starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit.” reads the report published by Bitdefender.

The attribution to the Naikon threat actor is based on command-and-control servers and artifacts employed in the attacks.

The malware gains persistence by adding a new registry key to automatically execute the malicious code on system restarts after login.

Nebulae supports common backdoor capabilities, including the abilities to collect LogicalDrive information, manipulate files and folders, download and upload files from and to the command-and-control server, list/execute/terminate processes on compromised devices.

“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,” continues Bitdefender.

The Naikon APT also delivered a first-stage payload tracked as RainyDay (aka FoundCore) used to deploy second-stage malware and tools, including the Nebulae backdoor.

The RainyDay backdoor was used to perform reconnaissance, upload its reverse proxy tools and scanners, execute the password dump tools, perform lateral movements, and achieve persistence.

Naikon RainyDay backdoor

The report published by the Bitdefender includes Indicators of Compromise (IoCs) related to the above attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment