A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions

November 16, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial

A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions

Bitdefender researchers have recently investigated a complex and targeted espionage attack on potential government sector victims in South East Asia, carried out by a sophisticated Chinese APT group. The operation dates back to late 2018, with current forensic evidence following the attack timeline up to 2020.

This research focuses on dissecting an APT attack and providing a full report on the tools, tactics and techniques used by the sophisticated group during the attack.

While the incident has been mentioned by other security researchers, Bitdefender’s investigation focuses on offering a detailed timeline of the attack by piecing all the forensic evidence together and creating a case study example. The report also provides a technical analysis of the tools used in this targeted attack and how the components were tied to each other

The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor. Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese. The FunnyDream backdoor is far more complex than the others, implementing a wide range of persistence mechanism and a large number of droppers, suggesting it’s custom-made.

Key Findings:

Potential Chinese APT group targeting a South East Asian government
Persistence through digitally signed binaries vulnerable to side-loading a backdoor into memory
Extensive custom toolset for data exploration and exfiltration
Three backdoors used (Chinoxy, PcShare, FunnyDream)
Potentially compromised domain controllers, gaining control over the victim’s network
First detailed timeline of this attack and the tools, tactics and techniques used
Around 200 machines showed signs of having various tools associated with the APT group

Download the whitepaper

Author

Victor VRABIE

Victor VRABIE is a security researcher at Bitdefender Iasi, Romania. Focusing on malware research, advanced persistent threats and cybercrime investigations, he's also a graduate of Computer Sciences.

View all posts

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.

View all posts