Check Point: Naikon is back with a new malware, the Aria-body backdoor. The China-linked APT launched a fresh cyber espionage campaign against several APAC governments
Naikon APT has launched a fresh cyber espionage operation against several national government entities in the Asia Pacific (APAC) region. It has been discovered by Check Point cyber security experts. The China-linked malicious hackers exploit a new malware, a backdoor named Aria-body, in order to take control of the victims’ networks. The targeted government entities include ministries of foreign affairs, science and technology ministries, as well as government-owned companies. The group has been observed expanding its footholds on the various governments within APAC by launching attacks from one government entity that has already been breached, to try and infect another. In one case, a foreign embassy unknowingly sent malware-infected documents to the government of its host country, showing how the hackers are exploiting trusted, known contacts and using those them to infiltrate new organizations and extend their espionage network.
The cyber security experts: Malicious hackers aim to gather intelligence and spy on the targeted countries. They deliver the malware with several different infection chains
According to the cyber security experts, the Naikon objective is to gather intelligence and spy on the countries whose Governments it has targeted. This includes not only locating and collecting specific documents from infected computers and networks within government departments, but also extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage. And if that wasn’t enough, to evade detection when accessing remote servers through sensitive governmental networks, the China-linked group compromised and used servers within the infected ministries as command and control servers to collect, relay and route the stolen data. Moreover, the malicious hackers rely on several different infection chains to deliver the Aria-body malware:
- An RTF file utilizing the RoyalRoad weaponizer;
- Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL.
- Directly via an executable file, which serves as a loader.