Naikon, a Chinese based cyberespionage group is using Nebulae backdoor to target organizations. Read on to know more about it…
A new backdoor has been actively used by Naikon, a Chinese cyberespionage group, in numerous cyberespionage operations targeting military organisations in Southeast Asia. The loophole, dubbed Nebulae, is used to keep infected devices alive. The backdoor, dubbed Nebulae, is used to maintain persistence on infected computers.
Between June 2019 and March 2021, Naikon APT engaged in various malicious activity. At the start of the APT’s service in 2019, the Aria-Body loader and Nebulae were used as the first stage of the cyberattack. The APT group began using the RainyDay backdoor in September 2020, and the attribution to Naikon is based on C2 servers and artifacts used in its attacks.
RainyDay (aka FoundCore) is now being used by the APT group as a first-stage payload to spread second-stage malware and resources, including the Nebulae backdoor. Naikon targeted a number of organisations in the South China Sea region, including Malaysia, Singapore, Indonesia, Thailand, and the Philippines. It is mostly concerned with government and military organisations.
Working Mechanism
On infected computers, it can collect LogicalDrive info, manipulate files and directories, download and upload files from and to the C2 server, and terminate/list/execute processes. In addition, the malware creates a registry key that executes the malicious code every time the device reboots after a successful login. It serves as a backup access point for the victim in the event of an adverse scenario.
Experts from Bitdefender revealed a long-running campaign linked to the APT group. Furthermore, the group primarily employs the DLL hijacking technique to run its malicious code.
VirusScan (McAfee), Sandboxie COM Services (SANDBOXIE L.T.D), Outlook Item Finder (Microsoft), and Mobile Popup Application (Quick Heal) are the legit softwares misused by the APT group.
The research report published by Bitdefender noted “The malicious activity was conducted between June 2019 and March 2021. In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack. From our observations, starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit.”
“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,” continues Bitdefender.
The RainyDay backdoor was used to conduct surveillance, upload its reverse proxy tools and scanners, run the password dump tools, perform lateral movements, and achieve persistence. Furthermore, after being stolen at an early stage of the attack, admin domain credentials were used for lateral movement. Persistence was usually done manually, with relevant data being exfiltrated to Dropbox.
Bitdefender concluded its research findings “Our research confidently points to an operation conducted by the Naikon group based on the extraction of the C&C addresses from Nebulae samples. The particular domain dns.seekvibega.com obtained from such a sample points out to the Naikon infrastructure,”
Concluding Words
For the past two years, the Naikon APT group has been quietly running the operation and has conducted several cyberespionage operations. Furthermore, the group has been operating since 2010 and continues to pose a serious threat to a number of military forces in Southeast Asia. As a result, security agencies and experts should keep a close eye on this threat.