The Patriot Files Forums  

Go Back   The Patriot Files Forums > Warfare > Cyber

Post New Thread  Reply
Thread Tools Display Modes
Old 04-29-2021, 04:34 AM
Boats's Avatar
Boats Boats is offline
Senior Member

Join Date: Jul 2002
Location: Chicago, IL
Posts: 19,178
Exclamation Chinese Hackers Attacking Military Organizations With New Backdoor

Chinese Hackers Attacking Military Organizations With New Backdoor
By: Ravie Lakshmanan - The Hacker News - 04-29-21

NOTE: Cybersecurity researchers on Wednesday exposed a new cyberespionage campaign targeting military organizations in Southeast Asia.

Attributing the attacks to a threat actor dubbed "Naikon APT," cybersecurity firm Bitdefender laid out the ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named "Nebulae" and "RainyDay" into their data-stealing missions. The malicious activity is said to have been conducted between June 2019 and March 2021.

"In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack," the researchers said. "Starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyberespionage and data theft."

Alleged to be tied to China, Naikon (aka Override Panda, Lotus Panda, or Hellsing) has a track record of targeting government entities in the Asia-Pacific (APAC) region in search of geopolitical intelligence. While initially assumed to have gone since 2015, evidence emerged to the contrary last May when the adversary was spotted using a new backdoor called "Aria-Body" to stealthily break into networks and leverage the compromised infrastructure as a command-and-control (C2) server to launch additional attacks against other organizations.

"Tools executed by RainyDay backdoor:"
The loading of Nebulae as vsodscpl.dll

The new wave of attacks identified by Bitdefender employed RainyDay as the primary backdoor, with the actors using it to conduct reconnaissance, deliver additional payloads, perform lateral movement across the network, and exfiltrate sensitive information. The backdoor was executed by means of a technique known as DLL side-loading, which refers to the tried-and-tested method of loading malicious DLLs in an attempt to hijack the execution flow of a legitimate program like Outlook Item Finder.

As an extra precaution, the malware also installed a second implant called Nebulae to amass system information, carry out file operations, and download and upload arbitrary files from and to the C2 server. "The second backdoor [...] is supposedly used as a measure of precaution to not lose the persistence in case any signs of infections get detected," the researchers said.

Other tools deployed by the RainyDay backdoor include a tool that picks up recently changed files with specific extensions and uploads them to Dropbox, a credential harvester, and various networking utilities such as NetBIOS scanners and proxies.

What's more, Bitdefender said RainyDay is likely the same malware that Kaspersky disclosed earlier this month, citing similarities in the functionality and the use of DLL side-loading to achieve execution. Called "FoundCore," the backdoor was attributed to a Chinese-speaking actor named Cycldek as part of a cyberespionage campaign directed against government and military organizations in Vietnam.


Personal note: It seem's our security is really lacking as we are constantly being hacked by foreigner's! Why is that!?

O Almighty Lord God, who neither slumberest nor sleepest; Protect and assist, we beseech thee, all those who at home or abroad, by land, by sea, or in the air, are serving this country, that they, being armed with thy defence, may be preserved evermore in all perils; and being filled with wisdom and girded with strength, may do their duty to thy honour and glory; through Jesus Christ our Lord. Amen.

sendpm.gif Reply With Quote
Sponsored Links

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

All times are GMT -7. The time now is 09:54 PM.

Powered by vBulletin, Jelsoft Enterprises Ltd.