Recent investigations have revealed that a sophisticated group of Chinese hackers, known as ‘Naikon APT,’ has been executing a prolonged cyber espionage campaign targeting various governmental entities across Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. This campaign, which has remained undetected for a minimum of five years, continues to pose a significant threat.
Once considered one of the most active advanced persistent threat (APT) groups in Asia until 2015, Naikon APT has recently resurfaced, exploiting geopolitical tensions to gather sensitive intelligence through a series of strategic cyberattacks. A report shared by Check Point researchers highlighted that rather than fading into obscurity, the group has transitioned to utilizing a new backdoor, dubbed “Aria-body,” to continue its operations covertly.
The researchers indicated that the characteristics of the targeted victims, combined with the group’s capabilities, strongly suggest an intent to surveil and collect intelligence on the governments involved. For example, the Aria-body backdoor facilitates not only unauthorized access to internal networks but also enables attackers to launch further invasions from compromised organizations.
The backdoor’s functionalities include extracting specific documents, accessing removable data drives, capturing screenshots, keylogging, and exfiltrating stolen data for espionage purposes. This dual-use capability enhances the threat actor’s operational effectiveness.
Initially documented in 2015, Naikon APT employs carefully crafted email lures as their gateway to infiltrating high-level government agencies and military organizations. Recipients opening these emails are subject to malware installation that siphons sensitive documents to remote command-and-control (C2) servers. Despite a hiatus in reported activities over the last five years, Check Point’s recent findings have shed light on the group’s continued operations.
A noteworthy incident involved Naikon impersonating a foreign government in an attempted attack against one of Check Point’s clients, prompting a renewed investigation into their activities. The campaign reveals a complex infection strategy utilizing an RTF file named “The Indians Way.doc,” which exploits vulnerabilities in Microsoft Word to facilitate malware deployment.
A sophisticated exploit builder known as RoyalBlood is primarily used among Chinese threat actors for crafting malicious documents. This methodology is reminiscent of similar attacks aimed at Mongolian government agencies during the COVID-19 pandemic. In a different attack strategy, Naikon also employs archive files combined with legitimate executables to facilitate the loader’s placement within targeted systems.
The loader subsequently establishes a connection with a C2 server, downloading the payload for the Aria-body backdoor. The researchers noted that the attackers’ operational methods involve limited online activity for their C2 servers, complicating detection efforts.
The Aria-body remote access Trojan (RAT) exhibits all the standard characteristics associated with backdoors, allowing for file manipulation, screenshot capture, system information collection, and more. Recent iterations also demonstrate enhanced capabilities for keylogging and extensibility, indicating that the backdoor is actively being developed.
In gathering intelligence, the backdoor not only exfiltrates collected data to the C2 server but also retains an ongoing capability to execute additional commands. Analysis of the C2 infrastructure indicated that several domains share the same IP address, hinting at organized operational tactics.
Furthermore, the group exhibits advanced evasion techniques by repurposing servers within infiltrated ministries as C2 nodes, enabling attacks to be launched while minimizing the risk of detection by external monitoring systems.
Check Point corroborated their attribution of this espionage campaign to Naikon APT through evident code similarities between Aria-body and the previously reported espionage tool “XSControl.” This investigation underscores that while Naikon APT maintained a low profile over the past five years, their operations have evolved significantly.
By leveraging new infrastructural methods, innovative loaders, and an updated backdoor, Naikon APT continues to challenge cybersecurity defenses, demonstrating the necessity for heightened vigilance among business owners concerning cyber threats.
