Researchers from Check Point have detailed cyber espionage activities conducted during the past five years by the Naikon APT (Advanced Persistent Threat) group against the governments of Australia, Brunei, Myanmar, Indonesia, Philippines, Thailand and Vietnam.

What Is It?

Naikon have been observed utilizing several methods to infect targets, with the goal of installing their backdoor trojan, which has been named Aria-body. Through an email campaign, attackers use social engineering techniques to try and convince the recipient to open included attachments. The first of these is a RTF (Rich Text Format) document that has been weaponized with a tool called RoyalRoad.

When opened by the user, the attack begins. First, the document drops a downloader onto the user’s device, which then downloads the Aria-body backdoor. Then, a zip file containing a legitimate executable and a malicious downloader DLL file downloads Aria-body. Finally, a RAR archive file containing a legitimate executable and the Aria-body DLL is then downloaded. This last option was potentially used as Naikon were aware that email recipients would not be able to download these files over the internet.

Aria-body is a RAT (Remote Access Trojan), so named due to strings found in the code. It has functionality expected of a RAT, such as creation and deletion of files and directories, taking screenshots, searching for files, executing files and gathering system information. It has also been expanded over time, with variants adding the ability to gather information regarding USB devices, keylogging and a proxy. Gathered data is placed in a zip file which is encrypted with a random eight-character password. The password is then simply obfuscated by XORing it with a single byte and sent as part of the communication with the C2 (command and control) server.

The Naikon APT group was first discovered by researchers at Kaspersky in 2015 and were linked to China’s People’s Liberation Army’s Unit 78020. Their primary focus is gathering intelligence from governments and militaries in the South China Sea and Asia Pacific regions. After a report in September 2015 identified an individual member of Naikon, visible activity from the group appeared to have ceased. However, Check Point found that the group has continued to operate and develop new malware. During 2019 and into 2020, Naikon increased the frequency of its attacks.

How Does It Propagate?

The Aria-body malware does not self-propagate. The attack vector is emails containing malicious attachments that utilize social engineering techniques to convince recipients to open them.

When/How Did BluVector Detect It?

The components of these Naikon attacks have been regression tested against BluVector’s patented Machine Learning Engine (MLE). The malicious DLL files would have been detected an average of 55 months prior to their discovery in February and March of 2020 respectively. Though none of the malicious RTF documents used in these attacks are publicly available, recent samples of RoyalRoad RTF documents, similar to those used by Naikon, would have also been detected an average of 55 months prior to their discovery. Publicly available samples of the Aria-body malware used in these attacks would have been detected an average of 48 months prior to their discovery.