Chinese Naikon APT Rediscovered After New Five-year Stealth Campaign
Naikon, a Chinese APT group that disappeared after its activities were disclosed in 2015, has been rediscovered and may have remained active but unrecognized since the 2015 reports. Researchers have uncovered evidence of a five-year stealth campaign against similar targets in the same geographical area that they believe to be conducted by Naikon.
The key elements of the newer campaign are that it appears to concentrate on geopolitical espionage against national governments including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei; it uses a new and different backdoor (named Aria-body by its authors); it is known to launch ‘trusted’ attacks from one compromised agency against others; and to use compromised servers within ministries as its own C&C servers. The implication is that Naikon’s regional activities did not stop after 2015, but merely changed methodology.
The research started when Check Point detected a malicious email sent from an APAC government embassy to the Australian government. The email was found to carry a weaponized RTF built with the RoyalRoad exploit builder. The RTF dropped a loader named intel.wll into the Word startup folder, which in turn downloaded the next stage payload. This initial infection chain is similar to another, probably Chinese campaign, discovered earlier this year and dubbed Vicious Panda.
“Naikon attempted to attack one of our customers by impersonating a foreign government,” explains Lotem Finkelsteen, manager of threat intelligence at Check Point. “That’s when they came back onto our radar after a five-year absence, and we decided to investigate further. Our research found that that Naikon is a highly motivated and sophisticated Chinese APT group.”
This research further discovered two other infection chains being used by the same attackers. The first uses an archive file that contains both a legitimate executable and a malicious DLL used in a DLL hijacking technique. The second is directly via an executable file, which serves as a loader. In all cases the ultimate payload is the previously unknown Aria-body custom-built backdoor. The researchers found Aria-body variants being compiled as early as 2018, and Aria-body loaders going back to 2017.
The loader appears to have been specifically crafted for the Aria-body RAT. It establishes persistence, injects itself into another process (such as rundll32.exe and dllhost.exe), decrypts two blobs, if necessary uses a DGA algorithm, contacts the C&C address, retrieves and decrypts the Aria-body DLL, and loads and executes an exported function of the DLL.
The RAT’s functionality is fairly standard, but varies between different variants. For example, a keylogger and a reverse socks proxy were added at some point before February 2018, while a loading extensions module was added by December 2019. The RAT starts by gathering data on the compromised system: hostname, computer-name, username, domain name, windows version, processor ~MHz, MachineGuid, 64bit or not, and public IP (using checkip.amazonaws.com).
Communication with the C&C is either HTTP or TCP, and the gathered data — zipped and password protected — is sent with the password to the C&C. Aria-body then keeps listening to the C&C for further commands, which are received and executed.
Attribution of the campaign to the Naikon group isn’t based simply on the similarity to the targets described by Kaspersky in 2015. The earlier campaign used a RAT supporting 48 commands that Check Point refers to as XsFunction. Check Point Research found several overlaps between the two RATs — such as, for example, identical debug strings. Both RATs use the same hashing function (djb2), while some functions are identical between the two RATs. There is even an overlap in the attackers’ infrastructure where four of the C&C servers shared IPs with a domain that resolves to the same IP as a domain reported by Kaspersky in 2015.
Naikon appears to be a little known but persistent Chinese APT group. In 2015, a five-year campaign was exposed. Five years later, another five-year campaign has been exposed — implying that Naikon has been quietly operational for at least the last ten years. “While the Naikon APT group has kept under the radar for the past 5 years,” concludes Check Point Research, “it appears that they have not been idle. In fact, quite the opposite. By utilizing new server infrastructure, ever-changing loader variants, in-memory fileless loading, as well as a new backdoor — the Naikon APT group was able to prevent analysts from tracing their activity back to them.”
Finkelsteen adds, “What drives them is their desire to gather intelligence and spy on countries, and they have spent the past five years quietly developing their skills and introducing a new cyber-weapon with the Aria-body backdoor. To evade detection, they were using exploits attributed to lots of APT groups, and uniquely using their victims’ servers as command and control centers.”
Having been found again, it will be interesting to see whether Naikon again disappears, to reemerge at some point in the future with a new attack methodology using new tools against the same APAC governments.