1 Researchers in Projecthave seen a new ATF linked to China and tracked under the name FunnyDream, which has already infected more than 200 systems in Southeast Asia.
BitDefender’s security experts have discovered a new cyber-espionage group connected to China, which is being prosecuted under the name FunnyDream. It has already infected more than 200 systems in Southeast Asia in the last two years.
According to Kaspersky Lab, FunnyDream has been active at least since 2018 and focuses on large companies in Malaysia, Taiwan and the Philippines. Most of the victims were in Vietnam, and the group focuses on foreign government organizations in Southeast Asia.
The group is still active and tries to stay in the victims’ network as long as possible, by spying on the victims’ activities and by filtering confidential documents with a particular interest in national security and industrial espionage.
The attack has a complete and sophisticated arsenal of pipettes, back doors and other tools using the Chinoxy, PCShare RAT and FunnyDream back door, with forensic artifacts suggesting a sophisticated Chinese. Read BitDefender’s report. Some of these open source (remote access) Trojan horses are known to be of Chinese origin, as well as some other sources installed in Chinese.
The group’s name comes from the powerful back door used in the APT attacks.
The attacks analyzed by Bitdefender’s researchers used three monitored malware such as Chinoxy, PCShare and FunnyDream,
The attackers followed the same chain of killing during the attack, which starts with a back door quinoxy to achieve stability in the victim’s system after initial access.
The quinoxy pipette uses a digitally signed binary file (Logitech Blutooth Wizard Host Process) to escape detection and uses a sideload attack to load the back door into memory.
The back door then uses an open source Chinese TAR called PcShare, which was used to collect information from infected hosts.
FunnyDream is a custom backdoor that supports advanced storage and communication functions and has been used by the APT group to collect information and exfiltrate data.
Attackers used the back door mainly in the form of DLL files, but we also noticed that the executable file had to be used. The files we found implement many persistence mechanisms, their droppers and loaders use many different filenames for the loads, all suggesting that the back door is custom made.
An analysis of the useful life of the tools showed that the threat actors first used a series of tools to quickly and secretly examine and exfiltrate data, and then developed their own destruction chain using all three malware.
The researchers were able to identify the architecture of C2 because the domains or IP addresses of the command and control servers are encoded in binaries. Most of the servers are located in Hong Kong, with the exception of three servers located in China, South Korea and Vietnam.
It is highly likely that the use of local S&A infrastructure will bring a number of benefits to the APT Group. For example, it could be easier to administer and monitor, while avoiding C&C-IP addresses being classified as suspect because they are part of the same regional Internet infrastructure. The choice of command and control infrastructure used worldwide may lead to a number of security alarms. During this analysis, some of the forensic artifacts seem to point to the Chinese-language APT group, as some of the resources found in various binaries have been translated into Chinese, and the hijacked Chinoxy used during the campaign is a Trojan horse known to have been used by Chinese-language threat actors. Although we continuously monitor APT activity worldwide, not all APT attacks can be attributed to a known APT group, especially since some of the tools used are sometimes divided into different groups.
Pierluigi Paganini
(Security issues – Hacking, FunnyDream)
Part
Related Tags:
list of apt groups,equation group apt,crimson rat,gorgon group,financial services threat actors
