Naikon APTがオーストラリア等のAPACの政府組織をターゲットにしている?
こんにちは、丸山満彦です。
Check Pointのリサーチによると、中国のAPTグループ?のNaikon APTがオーストラリア等のAPACの政府組織をターゲットした活動をしているようですね。
● Check Point - Research
・2020.05.07 Naikon APT: Cyber Espionage Reloaded
-----
Infection Chains
Throughout our research, we witnessed several different infection chains being used to deliver the Aria-body backdoor. Our investigation started when we observed a malicious email sent from a government embassy in APAC to an Australian state government, named The Indians Way.doc
. This RTF file, which was infected (weaponized) with the RoyalRoad exploit builder, drops a loader named intel.wll
into the target PC’s Word startup folder. The loader in turn tries to download and execute the next stage payload from spool.jtjewifyn[.]com
.
This is not the first time we have encountered this version of the RoyalRoad malware which drops a filename named intel.wll
– the Vicious Panda APT group, whose activities we reviewed in March 2020, utilizes a very similar variant.
Overall, during our investigation we observed several different infection methods:
- An RTF file utilizing the RoyalRoad weaponizer.
- Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL.
- Directly via an executable file, which serves as a loader.
Infection chain examples
-----
■ 記事等
● Threatpost
・2020.05.07 Naikon APTHid Five-Year Espionage Attack Under Radar
・2020.05.07 ChineseAPTgroupNaikontargeted Western Australia government
・2020.05.07 Report: Chinese-linked hacking group has been infiltrating APAC governments for years
・2020.05.08 APTGroup Wages 5-Year Cyber-Espionage Campaign: Report
・2020.05.07 Naikon APT на протяжении пяти лет атакует правительственные организации
Comments