The Naikon APT group is a China-linked cyber espionage group that has been active at least since 2010 and that remained under the radar over the past five years while targeting entities in Asia-Pacific (APAC) region. The threat actor deliver a new backdoor called Aria-body and abuse victims’ infrastructure to carry attacks against other targets.
“Recently Check Point Research discovered new evidence of an ongoing cyber espionage operation against several national government entities in the Asia Pacific (APAC) region.” reads a report published by CheckPoint. “This operation, which we were able to attribute to the Naikon APT group, used a new backdoor named Aria-body, in order to take control of the victims’ networks.”
The activity of the group was detailed in a report published by Kaspersky in 2015, but in the last five years, the group drastically changed its modus operandi to go silent.
Kaspersky linked the group to China’s PLA Unit 78020, a group of Chinese state-sponsored hackers.
In the last years, the APT group targeted government entities, including ministries of foreign affairs, science and technology ministries, as well as government-owned companies.
The group also used compromised infrastructure belonging to various governments within APAC to launch attacks against other targets in the region.
“In one case, a foreign embassy unknowingly sent malware-infected documents to the government of its host country, showing how the hackers are exploiting trusted, known contacts and using those them to infiltrate new organizations and extend their espionage network.” continues the report.
The researchers have detected multiple variants of the backdoor and one of them was recently delivered to the Australian government via a malicious email.
The operations of the group intensified in 2019 and the first months of 2020, the threat actors use exploits attributed to other cyberespionage groups and their C2 infrastructure.
The variant of Aria-body backdoor employed in the attack against the Australian government was delivered via an email from an embassy in the APAC region that was previously hacked by the group.
The message sent by the Naikon APT group used a weaponized Word document, titled “The Indians Way.doc” that was created with the RoyalRoad exploit builder.
Another infection method used by the group leverages archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking attack against legitimate executables (i.e. Outlook and Avast proxy), to load a malicious DLL. Attackers also delivered the backdoor via an executable file that acts as a loader.
In most recent attacks, threat actors used GoDaddy as the registrar and Alibaba for hosting the C2 infrastructure, they even reused the same IP address with more than one domain.
Earlier this year, the hackers deployed a variant of the Aria-body backdoor on computers belonging to the Philippines Department of Science and Technology. The Aria-body provides access to the target’s network and allows attackers to use the victim’s servers to continue the attack and launch new ones against other targets.
Experts noticed that to remain stealth, attackers’s C2 are make it available only for a few hours a day.
Additional technical details are reported in the analysis published by CheckPoint, including Indicators of Compromise (IoCs).
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Naikon, hacking)