Southeast Asia government institutions targeted by Chinese APT group

Espionage attack on the government sector leaves at least 200 systems infected with malware

Attackers used various tools to gather information and capture keystrokes, screenshots.

Researchers^[1] report that a targeted and complex attack on the South East Asia government institutions was carried out. These activities, reportedly, lasted since 2018.^[2] FunnyDream^[3] – main malware that was involved in the campaign was previously linked with Malaysia, Taiwan, the Philippines, but the Bitdefender team states that the sophisticated attack is coming from Chinese actors.

The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PcShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor.

200 machines got affected during the attack, and evidence shows that the attacker managed to compromise the network's domain controllers. This is how control of other systems might have been gained. The attacker, possibly, relied on social engineering^[4] and managed to lure users into downloading and clicking on malicious files. The infection can easily and quickly spread from there.

Multiple tools deployed in the infected system

It is not known how the infection happened, once the main payload was launched, various tools were used on the system. It is reported that Chinoxy backdoor was the tool for ensuring persistence. Besides that, a Chinese RAT named PcShare and a modified variant of this remote access tool got deployed. The modified version is accessible on GitHub.

Command-line utilities like tasklist.exe, ipconfig.exe, and others got used to gather information from the system. Malicious pieces like FilePak, ScreenCap, and TcpBridge were installed to steal files, keystrokes, collect information, and send to the remote server.

FunnyDream backdoor was used since May 2019, according to the investigation. This backdoor trojan is one of the potent viruses and is more advanced in functionalities and persistence, communication capabilities. It mainly can be used to exfiltrate or gather information, but his piece of malware has many functions:

• cleaning traces of malware;
• malicious command execution;
• data transmission to C&C servers;
• information or file gathering.

The particular location of C&C servers point to Chinese hackers

The particular servers that FunnyDream gathers and sends data to were situated in Hong Kong, China, South Korea, and Vietnam. The investigations of attacks back 2018 and other reports reveal that the particular malware and the group behind it still are active.

Even though it is difficult to attribute a particular attack to a hacker group or country, most of the artifacts point to a Chinese hacker group. Of course, particular things may be planted or re-used from other APT groups.

Particular targets in Shout East Asia can be chosen because of the recent events. Supply chains were shifted from China to Southeast Asia recently. Also, government institutions often duffer from such espionage and cyberattacks during elections, as do the rest of the world.^[5]

Some countries within the region have even gone through recent elections and governance changes, all of which could merit interest from potential Chinese APT groups in terms of how local regimes could align ideologically and politically to China's interests.