Naikon, a Chinese-state-sponsored Advanced Persistent Threat (APT) undergoes scrutiny once again following the discovery of a new set of TTPs (Tactics, Techniques, and Procedures). Although the group’s motivation remains unknown, the recovered data and (attack) artifacts tend to suggest that Naikon may be stagging a surveillance operation against Southeast Asian military and governmental HVTs (High-Value Targets). Cluster25, one of the cybersecurity agencies that have analyzed and kept tabs on Naikon’s activity, stated that the group now employs advanced and open-source pen-testing tools in order to extract confidential information.
A Brief History of Naikon APT Activity
Naikon aka Lotus Panda and / or Override Panda was first detected in the wild in early 2010, being loosely associated with a series of lightning-fast spearphishing attacks launched against governmental, military, and civilian organizations from the ASEAN region.
Tracking and fingerprinting efforts proved futile since the organization employed advanced obfuscation techniques in order to throw the authorities off the tracks. It’s estimated that from 2010 to 2014/2015, Naikon APT managed to spearphish and compromise multiple state-held agencies from Indonesia, Philippines, Singapore, Malaysia, Vietnam, Cambodia, Laos, Thailand, Myanmar, Nepal, and even from the heart of China. before going below the radar.
There followed a 4-year hiatus during which the group (probably) refined their TTPs and conducted surveillance on potential targets. In June 2019, the Naikon once again resurfaces using, more or less, the same MO with a couple of additions such as taking advantage of known backdoors (eg, Nebulae, RainyDay, etc.).
The group’s activity would continue until September 2021. Again, Naikon vanishes without a trace. Double-timing to 2022, the group’s once more on the prowl. Interestingly enough, Naikon has yet to claim any attacks; Some sources suggest that the ATP may be in the process of conducting close surveillance on potential targets (ie, identifying access points, persons, or objectives of interest, information labeled as “confidential”, etc.).
Naikon MO and TTPs
A recent investigation headed by Cluster25 revealed that Naikon is using a combination of spearphishing with weaponized documents and open-source pen-testing tools to stage out the attack.
In this latest iteration, the group would gain initial by sending the victim a weaponized Office document via email. The .docx attachment which, according to Cluster25, is written in Chinese, and, reportedly, outlines the steps to procure WAF-type equipment.
Even the subject line has been engineered to lure the victim – “a call to tenders” suggesting the fact that the victim must review the documentation. Once the user opens the document named “Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024”, the VBA macro extracts the code appended to the Subject and Comments properties, writing the resulting data in your machine’s temp folder.
The injected files are rad543C7.tmp.ini and rad543C7.tmp.exe. The initialization file is encoded in hex, and will, at a later time, be used to convert the hexadecimal string into a byte array which will then be loaded into the machine’s process memory space. Code execution commences after a new thread is created.
The second machine takeover stage involves beaconization – a remote thread is created which contacts the C2 server at an established interval. Taking into account the TTPs, the researchers naturally assumed that Naikon’s creators may be using CobaltStrike, a popular RedTeam-type framework.
However, further investigation has uncovered that the group’s using a somewhat obscure and open-source framework called Vyper – powerful offensive capabilities and usually used to conduct intranet penetration testing. In addition to Vyper, the group’s has also been observed to use ARL (Asset Reconnaissance Lighthouse), a multi-purpose pen-testing tool employed for discovering new attack surfaces, and weak points, and to, of course, conduct recon.
Prevention and Mitigation
With Naikon on the prowl, additional steps must be taken in order to ensure data integrity and safeguard your networks. First and foremost, your company should conduct frequent Red-type drills in order to ensure that your employees are up to speed in the area of cyber-hygiene procedures.
The second step involves securing products that are capable of preventing, mitigating, and eliminating the risks associated with this type of malware. Heimdal ™ Security can help you secure your infrastructure with products that cover all attack surfaces – Threat-Prevention – Endpoint and Threat-Prevention – Network to sever C2 communications, Next-Gen Antivirus & MDM to root out files, Privileged Access Management to prevent local file elevation, and of course, Email Security bundled with Email Fraud Prevention to identify and remove malicious email.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtubeand Instagram for more cybersecurity news and topics.