Bitdefender researchers recently published a detailed timeline of a Chinese APT espionage attack targeting South Eastern Asian government institutions, revealing a complete picture of how all the tools and backdoors used were tied to each other throughout the entire attack lifecycle.
The goal of this report was to piece together all the forensic evidence to create a case study example, offer a technical analysis of the tools used, and map the tactics techniques and procedures(TTP) employed by the Chinese APT group.
Considering the geopolitical tensions in the South Eastern Asian region, the APT campaign likely aimed at gaining commercial and politically strategic information from government institutions within the region.
While signs of the attack date back to late 2018 and continue up to 2020, campaign activity and the extensive toolset indicate robust exploration and data collection capabilities focused on data retrieval and exfiltration using a distributed command & control infrastructure.
The three backdoors revealed during the investigation (Chinoxy, PCShare and FunnyDream) and the persistence tactics, which involve digitally signed binaries and sideloading backdoors into memory, reveal the sophistication of the Chinese APT group. Forensic evidence also suggests that threat actors might have compromised domain controllers within the victim’s network and moved laterally across the infrastructure, as over 200 machines showed signs of having various tools associated with the APT group.
The execution flow for the tools used in this campaign is as follows:
- Execution of Chinoxy dropper and execution of the Chinoxy Backdoor
- Execution of PcShare dropper and execution of PcShare Loader
- Ccf32 deployment
- FilePakMonitor dropper deployment and FilePakMonitor execution
- FunnyDream backdoor deployment
- Deployment of other tools from the toolset: droppers of the FunnyDream tools, PcMain, FunnyDreamTcpBridge, FunnyDreamFilePak
While most of the command and control infrastructure used was located in Hong Kong, three severs were in Vietnam, one in China and one in South Korea. The geographic distribution of the C&C infrastructure was likely premeditated, as internet access within the region is highly restrictive. To draw less suspicion on network traffic outside the targeted region, it’s likely the attackers opted for C&C infrastructure that would not trigger raise any anomalous behavior alarms.
Some servers from the command infrastructure were still online at the time of the investigation, but the vast majority seem to have been unresponsive.
Detecting an APT-style attack can take months for organizations, and the breakout time for APT groups – the time it takes them to achieve their objectives after initial access - can sometimes be mere hours. Existing security stacks need to be augmented by visibility tools that report any suspicious or anomalous behavior at the endpoint or network layer, enabling IT and security teams to identify potential signs of attack.
The ever-evolving sophistication of attack tools and TTPs means that threat actors are more likely to evade the radar of traditional security solutions. Turning to endpoint detection and response tools for correlating suspicious events, as well as using specialized threat-hunting managed detection and response teams, can significantly increase an organization’s resilience against these sophisticated attacks.