Naikon APT, a threat actor, was discovered by Bitdefender following the footprints of ever-changing tactics to new backdoor
An extensive cyber espionage campaign was identified targeting the military organizations of Southeast Asia for over two years. According to the research published by the Bitdefender labs, the threat actors are state-sponsored, and in this case, China is the prime suspect. At the same time, it was also discovered that these malicious activities were active between June 2019 to March 2021.
**Naikon APT, ** the threat actor, was discovered following the footprints of ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named "Nebulae" and Rainy Day in their illegal data confiscation mission.
*** In the beginning of the operation, the threat actors used Aria-Body loader and Nebulae as the first stage of the attack, *** the researchers at Bitdefender mentioned in their research.
Starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyberespionage and data theft.
Naikon (aka Override Panda, Lotus Panda, or Hellsing) is the plausible threat actor given the history of targeting government entities in the Asia-Pacific (APAC) region in search of geopolitical intelligence. Although after getting exposed for the very first time in 2015, it was assumed that Naikon might have left off the radar, some evidence surfed in May 2020 lead to a contradiction on that part, especially concerning the adversary spotted through a new backdoor called Aria-Body which managed to break into networks and exploited the compromised infrastructure as a command-and-control (C2) server with full stealth mode in preparation to launch additional attacks against any other organizations.
RainyDay acted as the primary backdoor as per the findings of the new attacks identified by the Bitdefender. It was found to be used for conducting surveillance, delivering additional payloads, performing lateral movement across the network, and exfiltrate sensitive credentials. Besides, RainDay was executed by leveraging the DLL side-loading technique, also referred to as the ideal method of loading malicious DLLs to hijack the execution flow of a legitimate program like Outlook Item Finder.
The malware also considered Nebulae a second implant installed for the backup to articulate the system information, execute the file operations, and download & upload arbitrary files from and to the C2 server. *** The second backdoor [...] is supposedly used as a measure of precaution to not lose the persistence in case any signs of infections get detected, *** according to the researchers at Bitdefender.
RainyDay backdoor also includes other tools like file collector that picks up files which are changed recently with specific extensions and uploads them to Dropbox, a credential harvester, and various networking utilities like NetBIOS scanners and proxies.
<>
Bitdefender also highly believes that RainyDay is likely to be the same malware discovered by Kaspersky earlier this month, highlighting the fundamental similarities in the functionality and the use of DLL side-loading to achieve execution labeled as "FoundCore," the backdoor was established to Cycldek, a Chinese speaking threat actor as part of a cyberespionage campaign directed against government and military organizations in Vietnam.