Suspected Chinese Hackers Conduct Cyber Espionage With New Backdoor

Suspected Chinese Hackers Conduct Cyber Espionage With New Backdoor

Suspected Chinese threat actors have been waging a cyberespionage war against military organizations in Southeast Asia for two years before being detected, new research from Bitdefender says.

Bitdefender cybersecurity researchers believe a threat actor called “Naikon APT” has been conducting the attacks. Attackers employed various tactics, techniques, and procedures, changing them often, which included spreading the new Nebulae and RainyDay backdoors as part of their data-stealing missions. The campaign has been running since at least June 2019, researchers say. “The purpose of this operation was cyberespionage and data theft.”

At the beginning of the campaign “the threat actors used Aria-Body loader and Nebulae as the first stage of the attack,” the researchers said. Since September 2020, the APT added the RainyDay backdoor in their arsenal. 

Naikon (aka Override Panda, Lotus Panda, or Hellsing) has been involved in many campaigns against government entities in the Asia-Pacific (APAC) region by various groups for geopolitical reasons. 

In the past, it was spotted using a new backdoor called “Aria-Body” in an attempt to break into adversary networks. The malware can be used to leverage the compromised infrastructure as a command-and-control (C2) server and as an attack launchpad.

In the new wave of attacks, Bitdefender identified RainyDay as the primary backdoor that was used in a technique known as DLL side-loading. The actors used it to conduct reconnaissance, deliver additional payloads, and perform lateral movement across the network. They used it to exfiltrate sensitive information, too. 

The operators also installed one more implant called Nebulae that would harvest system information, perform file operations, and download and upload arbitrary files via the C2 server. 

“The second backdoor […] is supposedly used as a measure of precaution to not lose the persistence in case any signs of infections get detected,” the researchers said.

RainyDay backdoor included a file collector that could upload specific files to Dropbox, networking utilities such as NetBIOS scanners, and a credential harvester.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.