Chinese hackers target military organizations in Southeast Asia with a new backdoor. According to Bitdefender, a cybersecurity firm Naikon APT, a threat actor is behind the new cyberespionage campaign. The group is known to adopt procedures such as weaving new backdoors named “Nebulae” and “RainyDay” into their data-stealing missions. The group has been carrying out these particular operations between June 2019 and March 2021.
The researcher discovered the group used the Aria Body loader and Nebulae during the initial stage of the attack. The campaign started in September 2020 included the RainyDay backdoor in their toolkit and the purpose of their operation was cyberespionage and data theft.
The bad actors have known to have close ties with China, it has a track record of targeting government entities in the Asia Pacific (APAC) regions to seek geopolitical intelligence.
After remaining dormant since 2015, the group showed up again in May, when it was spotted using a new backdoor called Aria Body. It was used to stealthily break into networks and leverage the compromised infrastructure as a command-and-control (C2) server to launch new attacks on other organizations.
The researchers at Bitdefender also revealed the group used RainyDay as a primary backdoor to explore, deliver more payloads, perform lateral movement across the network, and exfiltrate sensitive information. The DLL side loading technique was implemented to trigger the backdoor. It is a tried and tested method of loading malicious DLL to hijack the execution flow of a legitimate program such as Outlook Item Finder.
The malware also installed a second implant called Nebulae as a precaution to amass system information, carry out file operations, and download and upload arbitrary files from and to the C2 server.
While the RainyDay backdoor deployed other tools such as a file collector used to pick up recently changed files with specific extensions and upload them to Dropbox, harvest credentials, and a number of networking utilities such as NetBIOS scanners and proxies.
According to Bitdefender researchers, RainyDay seems to be the same malware Kaspersky disclosed earlier this month, with similar functionality and it also used the DLL side loading for execution. The backdoor FoundCore was attributed to a Chinese-speaking actor named Cycldek as part of a cyberespionage campaign directed against government and military organizations in Vietnam.