APT30
ATP30, also known as the Naikon group is one of the most active APT groups in Asia. Since 2010, it has launched spear phishing campaigns into organizations surrounding the South China Sea, intent on harvesting geo-political intelligence from civilian and military government organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, and China. The actors speak native Chinese. Based on the choice of targets, the operating language, and the sophistication of the toolkit, there is a distinct possibility that APT30 is a Chinese state sponsored threat group.
Spear phishing campaigns begin with a lure email relevant to the victim that carries a malicious Microsoft Word document, which, according to Kaspersky Lab, actually contains “a CVE-2012-0158 exploit, an executable with a double extension, or an executable with an RTLO filename”. One of its most prolific spear phishing campaigns was the March 2014 attacks targeting organizations from countries affected by the MH370 tragedy. Upon opening/ execution, the malicious payload, an 8kb encrypted file and configuration data, is injected into the browser memory where it decrypts the ports and paths to the C2C server, a user agent string, filenames and paths to relevant components, and hash sums of the user API functions. The malicious code downloads the main malware from the C2C server over an SSL connection and then it loads it independently of the operating system functions without saving it to the hard drive by assuming control of the XS02 function and then handling the installation in memory.
The main component of the Naikon platform is a remote administration component. According to Trend Micro, the RARSTONE backdoor (BKDR_RARSTONE.A) can obfuscate itself by “decrypting and loading a backdoor ‘executable file’ directly into memory without the need to drop the actual ‘executable file.’” The backdoor installs like a Plug X backdoor, injecting code into hidden instances of internet explorer. The module establishes a connection to the C2C server to receive and execute any of an estimated 48 commands from the adversary on the host. These commands include profiling the system, uploading and downloading data, executing arbitrary code, installing other modules, or executing commands via the command line. The backdoor routine also has the ability to get installer properties from Uninstall Registry key entries, which allow it to silently uninstall applications that interfere with the malware. The espionage malware collects email messages, monitors victims’ keystrokes and screens in real time, and monitors network traffic.
The command and control infrastructure is minimalistic and organized according to locations of victims and targets. Communication protocol varied according to target. Some systems connected directly to the C&C servers while other systems were routed through dedicated proxy servers. The proxy servers were victim hosts running the XSControl software, which accepted incoming connections and routed them to relevant C&C servers. The proxy server application also offered a GUI administration utility, logged client and operator activity, and transmitted logs to an FTP server. The operator logs contained an XML database of downloaded files (including a timestamp, the remote path and the local path), a database of filenames and victim registry keys, and a history of executed commands.
Perhaps the largest news story involving Naikon was the report by Kaspersky Lab that a rival APT in the region, dubbed the Hellsing group, had attacked the Naikon group. In March 2014, Hellsing group received a spear phishing email from Naikon and Hellsing responded with a reply message containing a locked malicious RAR archive labeled “confidential data.” The archive contained two PDFs and a SCR file, a backdoor specifically customized to target the Naikon group. The backdoor can upload and download files, update itself, and uninstall itself.
Type: Nation-State-Sponsored
APT30 Status: Active
APT30 Other Names: Naikon /PLA 78020 /Operation MsnMM /Operation Camera Shy
APT30 Active Since/Discovered: 2010
APT30 Last Report: September 2015
APT30 Targets: Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, and Laos, ASEAN Union, and US
APT30 Target Sectors: top-level government agencies and civil and military organizations
Malware:
- RARSTONE backdoor
- similar to PlugX backdoor
- RAT capabilities
- Obfuscates itself by decrypting and loading a backdoor executable file directly into memory without the need to drop the actual executable file
- 48 commands including: profiling the system, uploading and downloading data, executing arbitrary code, installing other modules, or executing commands via the command line
- BACKSPACe
- NETEAGLE
- XSControl
Preferred Attack Vector: Spear Phishing with Word attachments
TTP:
- CVE-2012-0158
- buffer overflow of ActiveX controls of MSCOMCTL.OCX
Unique:
- Focus on Espionage on political and military targets in South China Sea (SCS)
- China relies on SCS for trade routes
- Minimalistic C2 infrastructure
- organized according to locations of victims and targets
- Communication protocol varies according to target
- Some systems connected directly to the C&C servers while other systems were routed through dedicated proxy servers
- High success rate in infiltrating national organizations in ASEAN countries
- At least five years of high volume, high profile, geo-political attack activity