As reported by Bitdefender, an undocumented malware Nebulae has been recognized in Asia’s military organizations. Chinese Cyberspies Targets South-East Asia now!
It is believed that the identified cyber espionage network is operated and funded by the Chinese government. The Naikon is a hacking group in link with the People’s Liberation Army (PLA) from china was consistently spied in big corporations in countries like Australia, Singapore, Thailand, Vietnam, Indonesia, Myanmar, Philippines etc.
Naikon is an advanced persistent threat(APT) that aims to target or hack large scale companies, MNCs and, so on in a similar pattern. It’s been almost half a decade i.e. in 2015 when this undocumented malware was reported for the first time.
But there is another belief that this hijack group Naikon is present for over a decadeand attacking big organizations and firms including military institutes of developed nations.
The latest and last trial to expose his prolific advanced persistent threat went for about a year from June 2019 to May 2020.
How Naikon works?
In 2020, Naikon was exposed for the first time. As reported by cyber attack researchers at the Cyber Threat Intelligence Lab of Bitdefender. This malware uses a Chinese actor dubbed language to side load the second stage entrant nebulae. Even after its detection, this threat has two backdoor entries for the first stage and second stage entries. It allows the attackers to collect personal information such as:
- System details
- Control server
- Download files
- Location of files and folders
- Attackers can even command, execute, list or end processes on hacked devices.
This advanced threat is designed in such a way that it can add a new registry key to help it gain persistence. The key relaunches this malware even after the system restarts and the user enters the login details.
Victor Vrabie, a researcher from Bitdefender said:
“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,”
Rainyday / Found Core: The First stage Malware Backdoor
The first stage malware backdoor is referred to as Rainyday. During this stage, attackers are able to send rainy day commands over Transfer control protocol(TCP) or Hypertext control protocol(HTTP). Also in this same stage, they use the opportunity to deploy Nebulae backdoor with other additional payloads if in case the malware is identified.
This first stage Malware is also referred to as the swiss army knife that uses the DLL hijacking technique to execute these commands.
Vrabie Further said “Using the RainyDay backdoor, the actors performed reconnaissance, uploaded its reverse proxy tools and scanners, executed the password dump tools, performed lateral movement, achieved persistence, all to compromise the victims’ network and to get to the information of interest,”
How it can harm the compromised device?
- Access and manipulate system commands.
- Fake download links or upload files.
- Fake links to uninstall the malware.
- Capturing screenshot
Nebulae: The second stage Malware Backdoor
Naikon is a clever, manipulative and malicious kind of threat that can drop side loads and use DLL hijacking techniques. As recognized and reported by cyber-attack researchers in June 2019 to May 2021 cyber attacks. See, how Nebulae can affect the system, performance and services:
- Microsoft Corporation’s Outlook Item Finder
- VirusScanTask Properties; on-demand scan by McAfee, Inc.
- Quick Heal Technologies Pvt.Ltd’s Mobile Popup Application.
- ARO 2012 Tutorial
- Sandboxie COM Services (BITS)
Nebulae can transfer and receive the files and folder, hack the drive details, can execute and terminate the commands, scanning, password revealing tools and gain persistence on the compromised machines.
As per the BitDefender representatives, the same kind of execution and deployment techniques with rdmin.src were used by China’s link cycldek. Also, the similarities in sideload characteristics reveals that both the malwares are linked to each other.
The Bit defender concluded saying:
“Our research confidently points to an operation conducted by the Naikon group based on the extraction of the C&C addresses from Nebulae samples. The particular domain dns.seekvibega.com obtained from such a sample points out to the Naikon infrastructure,”