Over the last three years, Bitdefender says, a specialised advanced persistent threat (APT) organisation suspected to be working out of China has been stealthily attacking Southeast Asian governments.
Even now, despite much of the command and control (C&C) servers being offline, the attacker’s system continues to be operational.
The community was detected utilising various malware families, like the Chinoxy backdoor, PCShare Rodent, and the FunnyDream backdoor, suspected to be state-sponsored.
The fact that some of these open-source instruments are considered to be of Chinese origin and the use of other Chinese tools led the researchers to believe that there are Chinese speakers in the community behind these attacks.
The attacks tend to have began in 2018, with the activity rapidly increasing at the beginning of 2019, as more than 200 devices were compromised within five months. The offenders sought to preserve cohesion within the victim networks for as long as possible.
“Some evidence indicates that threat actors may have managed to compromise domain controllers from the network of the victim, enabling them to step sideways and likely take control of a significant number of machines from that infrastructure,” states Bitdefender in a paper.
The adversary employed digitally signed binaries for persistence, which are leveraged to side-load one of the backdoors into memory. Using custom instruments, data of interest is detected and exfiltrated.
In 2018, to create persistence, the community used the Chinoxy backdoor, after which the open-source Chinese RAT PcShare was deployed. For file collection, a tool named ccf32 was used and the same tool was used for FunnyDream infections beginning in 2019 (along with additional utilities).
Ccf32, a command line tool used to gather data, will only list all files on a hard drive or target defined directories. It also helps attackers to philtre extension-based files, gather files of interest at the current position in a secret folder, and then link those files to an archive that is sent to the attackers.
The backdoor of FunnyDream is the most nuanced piece of malware utilised by the threat actor, distributed predominantly as a DLL but even as an executable in certain instances to compromised computers. Some of its capabilities include collection and exfiltration of data, cleaning after itself, identification of evasion, and execution of commands.
The malware includes various components for performing actions, such as capturing files (Filepak and FilePakMonitor), taking snapshots (ScreenCap), logging keystrokes (Keyrecord), entering internal networks (TcpBridge), and bypassing network limits (TcpTransfer).
Md client, which is able to collect device details, build a remote shell, list folders, upload and download data, execute commands, and uninstall directories, is a more complicated, custom-made backdoor part.
Bitdefender’s security researchers found during their investigation that the C&C addresses are hardcoded in the malware binaries and that much of the infrastructure of the attackers is based in Hong Kong, with just three servers overseas (in Vietnam, China and South Korea, respectively).