Bitdefender cybersecurity team discovered a new technique while researching DLL hijacking, a malware execution technique popular with threat actors, and sideloading techniques used by attackers in several vulnerable applications. The investigation led to the discovery of a long-running operation of the APT group known as NAIKON. Active for more than a decade, this threat actor likely has ties to China. The APT focuses on high-profile targets such as government agencies and military organizations in the South-Asian countries, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand.
Bitdefender researchers Victor Vrabie Avatar and Bogdan BOTEZATU documented the NAIKON operation using Nebulae in a whitepaper published yesterday. The APT’s updated technique relies on using a secondary backdoor that plays an important role in persistence. Researchers called it Nebulae.
During their investigation, they saw that the victims of this APT were military organizations located in Southeast Asia. The main goals of the campaign were data theft and cyber-espionage, according to the researchers.
The malicious campaign spanned a period between June 2019 and March 2021. The threat actors used Aria-Body loader and Nebulae as the first stage of the attack until about mid-2020. Starting September 2020, the APT added the RainyDay backdoor to their toolkit for this campaign.
Some of the products targeted by threat actors were ARO 2012 Tutorial 220.127.116.11, VirusScan On-Demand Scan Task Properties (McAfee, Inc.), Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D), Outlook Item Finder 11.0.5510 (Microsoft Corporation), and Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.).
The attribution to Naikon by Bitdefender is based on command-and-control servers and artifacts from the attacks.
For more details on Bitdefender’s investigation and its findings, please read the full paper.