A Chinese-speaking threat actor has deployed a newly-discovered backdoor in multiple cyber-espionage operations that span roughly two years and targets military organizations in Southeast Asia. For at least a decade, the hacking group known as Naikon has actively spied on organizations in countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand. The attacker is a likely state-sponsored threat actor with ties to China and is mainly known for focusing its efforts on high-profile organizations, including government agencies and military groups. During Naikon’s attacks, they abused legitimate software to side-load the second-stage malware dubbed Nebulae to achieve persistence, according to researchers at Bitdefender. “The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors” Bitdefender researcher Victor Vrabie said. In the same series of attacks, the Naikon threat actors also delivered first-stage malware known as RainyDay or FoundCore used to deploy second-stage payloads and tools used for various purposes, including the Nebulae backdoor.
“Using the RainyDay backdoor, the actors performed reconnaissance, uploaded its reverse proxy tools and scanners, executed the password dump tools, performed lateral movement, achieved persistence, all to compromise the victims’ network and to get to the information of interest,” Vrabie added.