Chinese Cyberspies have been hacking into Southeast Asian military organizations for a full ten years now. Naikon had their own backdoor access points for a swiss army knife of exploits called Nebulae.
Military grade cybercode
Even military grade anti-virus tools won’t keep governments safe from malicious malware. The China sponsored hacking group Naikon “actively spied on organizations in countries around the South China Sea” like the Philippines, Malaysia, Indonesia, Singapore, and Thailand.
It isn’t something they just accomplished, they had their own passwords since 2010 and knew everything our allies knew.
Naikon has been on hack attack radar and are well known for focusing attacks on high-profile government entities and military orgs.
They pulled it off by abusing “legitimate software to side-load the second-stage malware dubbed Nebulae” Then they achieved “persistence.” Thats what most folks call a backdoor.
security researchers at Bitdefender’s Cyber Threat Intelligence Lab hit the panic button in a threat bulletin published Wednesday.
They detail how the Nebulae malware package “provides additional capabilities allowing attackers to collect system information, manipulate files and folders, download files from the command-and-control server, and execute, list, or terminate processes on compromised devices.” In other words, they can do anything a system administrator can do, in secret. The military isn’t happy to learn it’s been going on since 2010.
Automatic relaunch
One of the funky features of the malware is it’s ability to “gain persistence by adding a new registry key to relaunch automatically on system restarts after login.” Even on military hardware, rebooting doesn’t make it stop.
“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors.” By “negative scenario,” they mean “someone discovered the malware and turned it off.”
In order to install the Nebulae features, Naikon had to first infect the machines with “first-stage malware known as RainyDay or FoundCore.” Once those are running, they “deploy second-stage payloads and tools used for various purposes, including the Nebulae backdoor.”
For instance, on the military systems, using “the RainyDay backdoor, the actors performed reconnaissance, uploaded its reverse proxy tools and scanners, executed the password dump tools, performed lateral movement, achieved persistence, all to compromise the victims’ network and to get to the information of interest.” Things like details of setting up THAAD installations in South Korea.
It’s disconcerting to know that virtually every military organization in the pacific rim has been compromised. The experts say the “attackers can also send RainyDay commands over TCP or HTTP to manipulate services, access a command shell, uninstall the malware, [take] and collecting screen captures, and manipulate, download, or upload files.”
Bitdefender is sure they know who they’re after. They “confidently attributed this operation to the Naikon threat actor based on command-and-control servers and malicious payloads belonging to the Aria-Body loader malware family used in the group’s past operations.”