we observed an executable to be used as well.” continues the report. “The files we found implement many persistence mechanisms, their droppers and loaders use many different file names for the payload, all of that suggesting that the backdoor is custom made.”

The analysis of the tool usage timeline revealed that threat actors initially started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later developed its own killchain that employed the three malware.

funnydream timeline backdoors

The researchers were able to identify the C2 architecture because the domains or IP addresses of command and control servers are hardcoded in binary files. Most of the servers are located in Hong Kong, except for three ones that were in in Vietnam, China and South Korea respoectively.

“It’s likely that relying on a locally deployed C&C infrastructure would bring several advantages to the APT group. For instance, it could be easier to manage and control, while at the same time the C&C IPs wouldn’t be flagged as suspicious, as they would be part of the same regional internet infrastructure. Opting for a command and control infrastructure deployed anywhere else in the world would have potentially raised some security alarms.” concludes the report. “During this analysis, some forensic artefacts seem to suggest a Chinese-speaking APT group, as some of the resources found in several binaries had a language set to Chinese, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors. While we’re constantly monitoring for APT-like activity around the world, not all APT-style attacks can be attributed to a known APT group, mostly because some of the used the tools are sometimes share between multiple groups.”

[출처 : SecurityAffairs / 11.17.]