Naikon APT: Cyber Espionage Reloaded
Earlier this year, we discovered evidence of a malicious document received by an Australian state government, from a friendly government embassy in the Asia Pacific (APAC). Why would a nation state jeopardize the relationship with their hospitable neighbors by directly attacking government officials from their diplomatic partners?
We soon learned the friendly foreign embassy was not behind the attack; the real villain was a Chinese APT by the name of Naikon, which had compromised the embassy’s systems in order to gain credibility and used their mail server as a proxy for their assaults. Working out of third party government-entities’ offices, Naikon’s operatives exploited trusted, known contacts and used them to infiltrate additional government organizations.
Our investigation revealed a large-scale cyber espionage operation directed at multiple national government entities in the APAC region, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei. Attackers aimed, and in many cases succeeded, to install their custom RAT, Aria-body, thus granting them extensive access to sensitive materials belonging to countries in the region.
In our talk we review the entire infection chain, from the use of RTF documents weaponized with the RoyalRoad exploit-builder, to an in-depth analysis of custom tools used in this campaign, including the Aria-body loader and backdoor and their relating infrastructure. Unique strings, code similarity and infrastructure overlaps of the Aria-body loader and backdoor are presented as basis for their identification and attribution to the Naikon APT group.
Michael Abramzon is a Team Leader in the Threat Intelligence group of Check Point Research. For the last five years Michael has been involved in various research fields, from large scale campaigns, Exploit-Kits and APT groups, to developing open source tools like Vba2Graph.
Yuval Sadowsky is a malware analyst in the Threat Intelligence group of Check Point Research. He started out as a student in the Check Point Security Academy in 2018. Yuval’s research is focused on the APT landscape, tracking espionage motivated operations and hunting for new and previously undetected threat groups.
Sponsors and Supporting Organizations
Networking Lounge Sponsor