NAIKON – Traces from a Military Cyber-Espionage Operation
This report details a Bitdefender Labs investigation that focuses on the abuse of vulnerable legitimate software, which
eventually lead to uncovering a long-running operation of a notorious APT group known as NAIKON.
About Naikon:
NAIKON is a threat actor that has been active for more than a decade. Likely tied with China, the group focuses on high profile targets such as government agencies and military organizations in the South Asia region.
About sideloading:
DLL hijacking and other sideloading techniques have been around for as long as the Windows operating system. They are so frequent and so easily exploitable that there are tomes of information on how to both attack and defend against. But, while simple in theory, defending against sideloading is still challenging in the ever-increasing complexity of the software world. Subsequently, side-loading techniques have become extremely attractive compromise techniques for both commercial and state-sponsored threat actors. The purpose of this report is to provide details about tactics, techniques and procedures, as well as tools and infrastructure information of the attackers. The findings reveal their strategy to remain stealthy by mimicking legitimate applications that are running on individual infected machines. The collected evidence suggest that the aim of the APT group was espionage and data exfiltration. A recent publication from Kaspersky mentions a malware called FoundCore that seems to be the same with the backdoor we call RainyDay based on several similarities:
• The method of side-loading which uses the rdmin.src file,
• The shellcode used for payload extraction,
• Payload particularities such as the starting of four threads that implements the same functionality
Sponsored by: