1 min read

A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions

Victor VRABIELiviu ARSENE

November 16, 2020

A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions

Bitdefender researchers have recently investigated a complex and targeted espionage attack on potential government sector victims in South East Asia, carried out by a sophisticated Chinese APT group. The operation dates back to late 2018, with current forensic evidence following the attack timeline up to 2020.

This research focuses on dissecting an APT attack and providing a full report on the tools, tactics and techniques used by the sophisticated group during the attack.

While the incident has been mentioned by other security researchers, Bitdefender’s investigation focuses on offering a detailed timeline of the attack by piecing all the forensic evidence together and creating a case study example. The report also provides a technical analysis of the tools used in this targeted attack and how the components were tied to each other

The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor. Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese. The FunnyDream backdoor is far more complex than the others, implementing a wide range of persistence mechanism and a large number of droppers, suggesting it’s custom-made.

Key Findings:

  • Potential Chinese APT group targeting a South East Asian government
  • Persistence through digitally signed binaries vulnerable to side-loading a backdoor into memory
  • Extensive custom toolset for data exploration and exfiltration
  • Three backdoors used (Chinoxy, PcShare, FunnyDream)
  • Potentially compromised domain controllers, gaining control over the victim’s network
  • First detailed timeline of this attack and the tools, tactics and techniques used
  • Around 200 machines showed signs of having various tools associated with the APT group

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign How We Tracked a Threat Group Running an Active Cryptojacking Campaign
Bitdefender

July 14, 2021

10 min read