A Chinese hacker group is behind an ongoing cyber espionage campaign targeting government entities in the Asia-Pacific (APAC) region, according to a new report from Check Point Research. The group codenamed “Naikon APT” is reportedly undiscovered for five years of spying organizations in the Philippines, Australia, Thailand, Indonesia, Vietnam, Myanmar, and Brunei.
The researchers stated that the Naikon APT group is active since 2015 carrying out a series of cyberattacks on government entities, including ministries of foreign affairs, science and technology ministries, as well as government-owned companies using a new backdoor dubbed “Aria-body” to operate secretly.
Infection Chain
According to the researchers, the attackers used different infection chains to deliver the Aria-body payload. “We observed a malicious email sent from a government embassy in APAC to an Australian state government, named The Indians Way.doc. This RTF file, which was infected (weaponized) with the RoyalRoad exploit builder, drops a loader named intel.wll into the target PC’s Word startup folder. The loader in turn tries to download and execute the next stage payload from spool.jtjewifyn[.]com,” the researchers said.
The researchers also stated that they found this version of the RoyalRoad malware in the Vicious Panda APT group activities reviewed in March 2020.
Check Point found different infection methods during the investigation. These include:
- An RTF file utilizing the RoyalRoad weaponizer
- Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL
- Directly via an executable file, which serves as a loader
“Given the characteristics of the victims and capabilities presented by the group, it is evident that the group’s purpose is to gather intelligence and spy on the countries whose Governments it has targeted. This includes not only locating and collecting specific documents from infected computers and networks within government departments, but also extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage. And if that wasn’t enough, to evade detection when accessing remote servers through sensitive governmental networks, the group compromised and used servers within the infected ministries as command and control servers to collect, relay and route the stolen data,” the report stated.
