A suspected Chinese APT group known for targeting government organizations in the Asia Pacific region has been deploying a new backdoor in recent operations that is deployed as both a binary and a DLL and is used by the attackers for persistence and data exfiltration on target systems.
The backdoor is called Nebulae and researchers from Bitdefender discovered it while investigating an operation by the Naikon APT group, which has been active for more than 10 years. Naikon is associated with attacks against government agencies in a number of Asian countries, including Indonesia. the Philippines, Vietnam, and Thailand, as well as Australia. The group has used a variety of tools in its operations, but the common throughline in many of them is the presence of the Aria-body backdoor as part of the infection chain. In the recent operations investigated by BitDefender, Naikon was using Aria-body as well as a different tool it calls RainyDay, along with the new Nebulae backdoor.
The campaign Bitdefender tracked stretched from June 2019 through March 2021 and targeted military organizations in southeast Asia. During the first year or so of the campaign Naikon deployed both Aria-body and Nebulae as the first stage of its infection chain, but later on it began using RainyDay, as well. RainyDay uses DLL side-loading as part of its execution routine, a technique that uses malicious DLLs that mimic legitimate Windows DLLs. RainyDay is used to load and install other malicious software and is also used for reconnaissance.
“The persistence mechanism is usually installed manually, as the actor tends to mimic legitimate applications, but in some cases, it is automatically set by the binaries themselves. The intention to hide through the legitimate software was observed during the deployment of exfiltration tools – the sbiedll.dll tool is used to automatically collect files with a given extension and to upload them to Dropbox; the tool masquerading itself as a chrome process,” Bitdefender’s new paper on the campaign says.
“The second backdoor, that we call Nebulae, is supposedly used as a measure of precaution to not lose the persistence in case any signs of infections gets detected.”
As part of the analysis of the RainyDay process tree, the researchers discovered a group of binaries that had a string with the word Nebulae in it.
“Our research confidently points to an operation conducted by the Naikon group based on the extraction of the C&C addresses from Nebulae samples."
“In this operation, the Nebulae backdoor appears in the form of executable, as well as DLL file, the last form being used mostly for side-loading technique,” the paper says.
The Nebulae backdoor has a range of capabilities, such as gathering information about the infected machine, moving and deleting files and directories, running processes, and downloading and uploading files from the command-and-control server. The malware communicates with the C2 server via an encrypted connection. In addition to the Nebulae backdoor, Naikon used several separate reverse proxies in the recent campaign.
The Bitdefender research follows up on a precious investigation into Naikon’s operations by Check Point Research last year. The campaign BitDefender followed shares some infrastructure with previous operations, including some C2 servers.
“Our research confidently points to an operation conducted by the Naikon group based on the extraction of the C&C addresses from Nebulae samples. The particular domain dns.seekvibega.com obtained from such a sample points out to the Naikon infrastructure, as previously documented in a CheckPoint research. Moreover, several C&C addresses in the same component are suspected by ThreatConnect to belong to the Naikon infrastructure (e.g. www.wahatmrjn. com),” the Bitdefender report says.
“We found more compelling evidence to support our hypothesis during the triage of the suspicious files. The results of this process are the identification of a new case of side-loading and three malicious files (obtained from the same machine where we noticed RainyDay and other IOCs) belonging to Aria-Body loader malware family, the family that was previously reported to be used by Naikon.”