Published on May 7th, 2020 📆 | 5422 Views ⚑0
New ‘Aria-body’ backdoor gets advanced hackers back in the spy game
An advanced hacker group running cyber-espionage campaigns since at least 2010 has been operating stealthily over the past five years. They deliver a new backdoor called Aria-body and use victims’ infrastructure to carry attacks against other targets.
Multiple variants of the malware have been discovered and one of them was recently delivered to the Australian government via a malicious email.
A rare sight
Behind this action is Naikon APT (advanced persistent threat), a Chinese-speaking adversary that was publicly documented for the first time in 2015, although some of its tools, like Rarstone, had been been detected and analyzed before.
In a report in September 2015, Threat Connect and Defense Group associated this adversary with China’s Army Unit 78020 and exposed one of its members.
Naikon disappeared from the public limelight after being exposed but security researchers at Check Point found that the group continued to operate using tactics, techniques, and procedures that kept them under the radar.
Its area of interest remains the Asia Pacific (APAC) region. Targets include ministries of foreign affairs, science and technology in Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. Government-owned companies are also on the list.
Lotem Finkelsteen of Check Point says that “Naikon is a highly motivated and sophisticated Chinese APT group” that spent the last five years honing their skills and creating new malware like the Aria-body backdoor.
The group accelerated their attacks in 2019 and the first quarter of 2020, using exploits attributed to other APT groups and their victims’ server as command and control (C2) servers.
Naikon’s tactics, techniques and procedures
In research published today, Check Point says that a variant of Aria-body backdoor delivered to the Australian government came via an email from an embassy in the APAC region. The sender had likely been hacked to exploit the relation with the target.
The message contained a malicious Microsoft Word file (“The Indians Way.doc”) with code that downloaded a malware designed to retrieve and install the final payload from an external location. The weaponized document was created using the RoyalRoad exploit builder.
Another method Naikon uses involves archives with a legitimate executable (e.g. old Outlook, Avast proxy) that sideloads a malicious DLL to deliver the payload. A more direct method is the use of a malware dropper. Below are examples of the three techniques seen by Check Point:
Earlier this year, the threat actor planted a variant of the Aria-body backdoor on computers belonging to the Philippines Department of Science and Technology.
The payload came from an IP in the country and was configured with two command and control (C2) servers. One acted as a backup and its IP is associated with a Philippine government website that is currently down.
The Aria-body delivery chain observed by the researchers can be summarized by the following pattern:
- Crafting an email and document posing as official government communication with information of interest to the target; the info is based on public sources or proprietary data stolen from other compromised systems.
- Weaponizing the document with a downloader for Aria-body that provides access tot he target’s network.
- Use the victim’s own servers to continue the attack and launch new ones against other targets of interest
Check Point labeled Aria-body a sophisticated backdoor that can locate and collect specific documents from compromised systems and networks.
In the first stage, the malware runs reconnaissance activity on the machine, gathering data about the infected computer, its network, Windows version, CPU, architecture, and public IP (runs a check on checkip.amazonaws.com).
The malware can then be used to search for files by name, indicating that the threat actor knows what they’re after, as well as steal data from removable drives. Other capabilities include taking screenshots and logging key strokes.
According to the researchers, some variants of the malware were compiled in 2018 while loaders associated with it were observed a year before.
The downloader for the backdoor establishes persistence on the system, injects itself in another process, gets the backdoor from the C2 and executes it on the compromised host.
To limit exposure of the C2, the attackers make it available only for a few hours a day. This makes it more difficult for researchers to get access to the more advanced parts of the infection chain.
Aria-body has both a 32-bit and a 64-bit variant, with similar functionality. Some modules, like keylogging and stealing from USB drives, are present only in some samples, the researchers say.
Check Point’s research highlights that while Naikon appeared to be idle or shut down for the past five years the threat actor actually regrouped with new infrastructure, loader variants, and a new backdoor. This allowed them to operate undetected a long-running campaign that is still ongoing.
The report dives deep in technical details that enable the researchers to connect the dots with past research, attribute the campaigns to Naikon, and to expand knowledge of this threat actor’s toolset and actions.