Home Malware Programs Advanced Persistent Threat (APT) Naikon APT

Naikon APT

Posted: May 8, 2020

The Naikon APT is a group of hackers associated with China's military and espionage operations. They typically infiltrate targets with well-crafting phishing attacks and use a combination of custom tools, including Trojan downloaders and backdoor Trojans, for furthering their goals and collecting information. Workers in at-risk Southeast Asian government branches should have appropriate anti-malware protection for removing these hackers' tools immediately and watch for possible attacks through e-mail.

The Naikon APT: Not So 'Inactive' after All

With significant publicity from reports of their techniques and tools in 2015, the China-based Naikon APT fell off the radar quickly. Despite this period of silence, which lasted for years, they still were active and engaging in attacks. Thanks to changes in their SOP and software, they avoided further identification until relatively recently, in 2020. Only then did some of their 'new' methods and programs, like the Aria-body backdoor Trojan, come to the surface.

Both old and new attacks by the Naikon APT are consistent in using useful psychological tricks or social engineering from the outset. They start with public or collected documents, containing content of high relevance to the target, and re-build them with extra threatening content, thanks to tools like the RoyalRoad. Sending fraudulent e-mails with those documents as attachments lets them compromise new PCs, usually through a Trojan downloader. This loading element can drop a more comprehensive Black Hat tool for long-term surveillance, like the Aria-body backdoor Trojan.

The Naikon APT's goals are, apparently, non-commercial, with no interest in monetizing the lucrative information they acquire from infected systems immediately. However, they monitor sensitive targets over weeks or months, collecting any files, system data, or other content that they rate as being worth exfiltrating. For one of their more recently-in-use Trojans, they also show a close knowledge of what files they want, with one program's including a feature with filename-specific retrieval capabilities.

Finding Trojan Spies Hiding Low

The Naikon APT is, like most entities worthy of the classification as an Advanced Persistent Threat, capable of technologically-sophisticated attacks that leave few to no clues for victims. DLL-sideloading, arbitrary memory process injection, and using infected PCs as ad hoc C&C servers are some of their more newsworthy tactics. Updates to their Trojan utilities, including major ones that subtract and add features, are also routine between incidents.

Although e-mail is the infection vector of choice for most Naikon APT attacks, almost definitely, the exact format may vary slightly. Some versions use RAR or ZIP archives for attachments as obfuscation. Scenarios may involve tricking users into clicking on executables or weaponizing an RTF file. In most cases, the Naikon APT will use a Trojan downloader before moving onto its 'main' Trojan tool for getting system information and progressing from that point.

Users in Southeast Asian governments, those working with Internet access, particularly, should be cautious about e-mail attachments – whether or not a known contact seemingly sends them. Anti-malware products may delete threats related to the Naikon APT, but additional, overall network mitigation guidelines are highly necessary.

Taking one's eye off the metaphorical ball is never a viable strategy in the cyber-security sector. While the average PC user may forget about them, hackers like the Naikon APT will revisit, renew, and revitalize their methods of attack – at least, as long as they're getting paid.

Loading...