A sophisticated advanced persistent threat (APT) group believed to be operating out of China has been stealthily targeting Southeast Asian governments over the past three years, Bitdefender reports.
The attacker’s infrastructure appears to be active even today, despite many of the command and control (C&C) servers being inactive.
Believed to be state-sponsored, the group was observed using numerous malware families, including the Chinoxy backdoor, PCShare RAT, and the FunnyDream backdoor.
The fact that some of these open-source tools are known to be of Chinese origin and the use of other resources in Chinese led the researchers to the conclusion that the group behind these attacks consists of Chinese speakers.
The attacks appear to have started in 2018, with the activity increasing significantly in early 2019, when more than 200 systems were infected within five months. The attackers strived to maintain persistence within the victim networks for as long as possible.
“Some evidence suggests threat actors may have managed to compromise domain controllers from the victim’s network, allowing them to move laterally and potentially gain control over a large number of machines from that infrastructure,” Bitdefender explains in a report.
For persistence, the adversary employed digitally signed binaries that are leveraged to side-load one of the backdoors into memory. Data of interest is identified and exfiltrated using custom tools.
In 2018, the group was using the Chinoxy backdoor to establish persistence, with the open-source Chinese RAT PcShare being deployed afterwards. A tool called ccf32 was being used for file collection and, starting in 2019, the same tool (along with additional utilities) was being employed in FunnyDream infections.
A command line tool used for data collection, ccf32 can be used to list all files on a hard drive or target specified folders only. It also allows attackers to filter files based on extension, collects files of interest in a hidden folder at the current location, and then adds these files to an archive that is sent to the attackers.
The FunnyDream backdoor is the most complex piece of malware used by the threat actor, delivered to compromised machines mainly as a DLL, but also as an executable in some instances. Some of its capabilities include information gathering and exfiltration, cleaning after itself, evasion detection, and command execution.
The malware contains different components for performing actions such as file collection (Filepak and FilePakMonitor), taking screenshots (ScreenCap), logging keystrokes (Keyrecord), accessing internal networks (TcpBridge), and bypassing network restrictions (TcpTransfer).
A more complex, custom-made backdoor component is Md_client, which is capable of collecting system information, creating a remote shell, listing directories, uploading and downloading files, executing commands, and deleting directories.
During their investigation, Bitdefender’s security researchers discovered that the C&C addresses are hardcoded in the malware binaries and that most of the attackers’ infrastructure is located in Hong Kong, with only three servers elsewhere (in Vietnam, China, and South Korea, respectively).
Related: Chinese APT Uses DLL Side-Loading in Attacks on Myanmar
Related: Chinese Hackers Target Europe, Tibetans With ‘Sepulcher’ Malware
Related: Chinese Threat Actor Uses New MgBot Variant in Attacks on India, Hong Kong