On Wednesday, cybersecurity experts divulged a multifaceted and targeted spying attack on potential government sector victims in South East Asia that they believe was conducted by a sophisticated Chinese APT group at least since 2018.

In a news analysis, Bitdefender said: “The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PcShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor.”

It’s important to note that the FunnyDream campaign has been formerly related to eminent government entities in Malaysia, Taiwan, and the Philippines, with most of the victims placed in Vietnam.

Researchers said that not only did nearly 200 machines display attack pointers linked with the campaign, evidence highlights the fact the threat actor may have affected domain controllers on the victim’s network, letting them move sideways and possibly gain control of other systems.

The research has produced little to no signs as to how the infection occurred, although it’s alleged that the invaders employed social engineering baits to trick unsuspecting users into opening malicious files.

Upon getting an initial position, numerous tools were found to be arranged on the infected system, including the Chinoxy backdoor to gain persistence as well as a Chinese remote access Trojan (RAT) called PcShare, a modified variant of the same tool available on GitHub.

“Attributing APT style attacks to a particular group or country can be extremely difficult, mostly because forensic artefacts can sometimes be planted intentionally, C&C infrastructure can reside anywhere in the world, and the tools used can be repurposed from other APT groups,” the researchers concluded.

“During this analysis, some forensic artifacts seem to suggest a Chinese-speaking APT group, as some of the resources found in several binaries had a language set to Chinese, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors.”

Leave a Reply

Your email address will not be published. Required fields are marked *