7 min read

Abusing Legitimate Software to Avoid Detection – ‘NAIKON’ APT Caught Running Cyber-Espionage Campaign Against Asian Military Organizations

Filip Truta

May 13, 2021

Abusing Legitimate Software to Avoid Detection – ‘NAIKON’ APT Caught Running Cyber-Espionage Campaign Against Asian Military Organizations

Advanced Persistent Threat (APT) groups are at the heart of today’s cyber-espionage efforts. Unlike one-off hackers, APTs distinguish themselves through novel attack techniques, cunning lateral movement across the victim’s infrastructure, swift malware deployment, efficient data exfiltration and – perhaps most importantly – stealthy operation to avoid detection by cybersecurity tools.

Bitdefender is proud to publish the results of an investigation into the notorious APT group known as NAIKON, whose recent campaigns focused on stealing data from military organizations in South Asia.

DLL Hijacking – obtaining code execution in trusted apps

More than a decade after NAIKON emerged, its modus operandi remains unchanged. The threat actors abuse legitimate software to fly under the radar in what is known as ‘DLL hijacking.’

Windows applications rely on DLL (Dynamic Library Link) files to import existing functionality or to reuse specific Windows elements without having to constantly “re-invent the wheel.”This applies to file manipulation, invoking graphical elements, and performing other operations. This functionality is brought into the app by simply referencing the appropriate DLL file.

DLLs are called when the app starts up, and later, as needed. Apps attempt to “discover” a DLL by looking it up in specific file paths (the application directory, the system directory System32, the System folder, the Windows directory and ultimately the current directory in a pre-determined order).

This part is key, from the attacker’s perspective. An attacker can replace a system or application DLL with one that contains malware by simply copying it on these paths. When the legitimate application loads the DLL, it automatically executes the harmful code.

DLL hijacking lets attackers bypass potential white-listing technologies because the malicious code runs in the process of a known, trusted app. It also allows a piece of malware with limited permissions to run with a higher security clearance. Another ‘benefit’ is that malicious traffic is less likely to be flagged or blocked by firewalls, given that the traffic technically belongs to the trusted app as well.

NAIKON’s latest malicious activity was conducted between June 2019 and March 2021, with NAIKON using the Aria-Body loader and a backdoor we named Nebulae as the first stage of the attack. What we call Nebulae is actually a second backdoor supposedly used as a precaution to not lose persistence in case any sign of infection is detected. Starting in September 2020, the threat actors included the RainyDay backdoor in their toolkit.

Legitimate software abused by NAIKON includes:

  • ARO 2012 Tutorial
  • VirusScan On-Demand Scan Task Properties (McAfee, Inc.)
  • Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D)
  • Outlook Item Finder 11.0.5510 (Microsoft Corporation)
  • Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.)

Technical details about the toolset used in the kill chain are provided in our latest Bitdefender Labs blog entry, New Nebulae Backdoor Linked with the NAIKON Group. For example, the diagram below shows how the actors used the RainyDay backdoor to perform reconnaissance, upload its reverse proxy tools and scanners, execute the password dump tools, move laterally and achieve persistence, all to compromise the victim’s network and get to the information of interest.


Fortify your endpoint security with the MITRE ATT&CK framework

Bitdefender uncovered this campaign while investigating sideloading techniques in vulnerable applications. The diagram below shows how our GravityZone EDR suite responds to this type of threat at every step in the attack scenario. Even if the attack is detected past the execution stage, our solution generates MITRE alerts relative to the attackers’ moves, leaving no stones unturned and giving IT teams all the leverage they need to stop the attack from unfolding.


Bitdefender’s security stack leverages the MITRE ATT&CK framework to detect and block APT-style attacks at multiple steps in the attack chain. Our Anti-Malware technology successfully detects malicious payloads, while our HyperDetect technology leverages finely tuned machine learning models to catch new and unknown malware. Dynamic detection technologies like Advanced Threat Control (ATC) and Sandbox Analyzer help detect threats even if they are designed to keep a low profile (i.e. if they detect they’re running in a protected environment). And with Network Attack Defense, Bitdefender can detect network attack techniques.

With the commoditization of APT-as-a-service, organizations big and small must expand their threat models so they can detect APT-style attacks. This means your security stack must be able to reveal the full intent and scale of an attack.

Bitdefender enables organizations to contend with APT-style attacks with GravityZone Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) services that apply the MITRE ATT&CK framework to identifying and remediating security incidents throughout the entire attack kill chain.

Download the full research paper: NAIKON – Traces from a Military Cyber-Espionage Operation



Filip Truta

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.

View all posts

You might also like