In the latest cybercrime developments, Naikon APT group has been found to be utilizing new tactics, this time by using a backdoor named Nebulae, that is targeting military agencies in Southeast Asian regions.
The Naikon APT using Nebulae backdoor:
Naikon APT has been active since at least 2010 and poses severe cybersecurity threats to primarily military organizations in Southeast Asia.
The APT group has been known to have exploited major software such as VirusScan (McAfee), Sandboxie COM Services (SANDBOXIE L.T.D), Outlook Item Finder (Microsoft), and Mobile Popup Application (Quick Heal).
Regarding the mal-operations administered by the Naikon APT group, it was found that between the periods of June 2019 to March 2021, a slew of operations were initiated by the threat actor group.
A layered technique to compromise military organization:
Back in 2019, the Naikon Apt group had employed the Aria-Body loader and Nebulae as the initial stage of the attack.
Subsequently, in September 2020, Naikon incorporated the RainyDay backdoor in their weapons toolkit, as the assignment to Naikon is based on C2 servers and devices employed in its attacks.
As for now, the Naikon APT group deploys the RainyDay in the form of an initiative stage payload to deliver second-stage malware and tools, also incorporating Nebulae.
Also read,
The nebulae backdoor employed by the Naukon APT group has cyber-hazardous abilities to accumulate LogivcalDrive data, manipulate and hangle files and folders, download and upload files from and to the C2 server, and terminate/list/execute processes on infected devices.
Backdoor malware has also been known to supplement a registry key that runs the malicious code automatically during system reboots after login.
The Bailon APT group’s cyberespionage footprints have been felt in several countries like Malaysia, Singapore, Indonesia, Thailand, and the Philippines.
Security experts at Bitdefender have unearthed a prolonged cyber-operations in connection to the threat group. It also noted that the group mainly employs DLL hijacking procedures.
