Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.
The Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully described the group as a long running presence in the APAC region. Even when the group shutdown much of their successful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching malware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage campaigns in the South China Sea region during 2018.
“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February 2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader components without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules used in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction feature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues into 2018. We identified at least a half dozen individual variants from 2017 and 2018.
Technical Details
It seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors were built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted organizations, again lending confidence to clustering these resources and activity with previous “Naikon”.
Naikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a system. AR load attempts have been identified within processes with executable images listed here:
- c:windowssystem32svchost.exe
- c:windowssyswow64svchost.exe
- c:program fileswindows ntaccessoriesservices.exe
- c:usersdellappdataroamingmicrosoftwindowsstart menuprogramsstartupacrobat.exe
- c:alphazawgyisvchost.exe
Because this AR code is injected into processes, the yara rule provided in the Appendix is best run against memory dumps of processes maintaining a main image in the list above. The AR modules have additionally been seen in some others, including “msiexec.exe” processes.
Below are characteristics of the oldest AR and the newest known AR component in our collection.
| MD5 | c766e55c48a4b2e7f83bfb8b6004fc51 |
| SHA256 | 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4 |
| CompiledOn | Tue Jan 3 09:23:48 2017 |
| Type | PE32 DLL |
| Internal name | TCPx86.dll |
| Size | 176kb |
| Exports | AzManager, DebugAzManager |
| MD5 | 2ce4d68a120d76e703298f27073e1682 |
| SHA256 | 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db |
| CompiledOn | Thu Feb 22 10:04:02 2018 |
| Type | PE32 DLL |
| Internal Name | aria-body-dllX86.dll |
| Size | 204kb |
| Exports | AzManager, DebugAzManager |
When the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive check, a CONNECT proxied callback to its main C2, an IP location verification against checkip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include more or less system information collection prior to the initial callback.
The most recent version of the backdoor utilizes another Window procedure to implement a raw input device based keystroke collector. This keylogger functionality was newly introduced to the malware code in February 2018, and was not present in previous versions.
The approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set per compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple summary list:
- Persistence handling
- File and directory handling
- Keylogging
- Shell/Process Management
- Network activity and status listing and management
- System information collection and management
- Download management
- Windows management
- Extension management
- Location/IP verification
- Network Communications over HTTP
Similarities to past Naikon components
Naikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not only is some of the functionality only lightly modified, but the same misspellings in error logging remains in their codebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.
It’s clear that the underlying codebase continues to be deployed:
e09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15
c766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48
Kudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.
For reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details have been and are available to our threat intel customers (please, contact [email protected]).
Indicators of compromise
AR aria-body dll
c766e55c48a4b2e7f83bfb8b6004fc51
2ce4d68a120d76e703298f27073e1682
Loaders and related Naikon malware
0ed1fa2720cdab23d969e60035f05d92
3516960dd711b668783ada34286507b9
Verdicts – 2018 and Later
Trojan.Win32.Generic.gen
Trojan.Win32.SEPEH.gen
DangerousObject.Multi.Generic
Backdoor.Win64.Agent.h*
Backdoor.Win32.Agent.m*
Trojan-Downloader.Win32.Agent.x*
YARA Rules
rule apt_ZZ_Naikon_ARstrings : Naikon
{
meta:
copyright = “Kaspersky”
description = “Rule to detect Naikon aria samples”
hash = “2B4D3AD32C23BD492EA945EB8E59B758”
date = “2020-05-07”
version = “1.0”
strings:
$a1 = “Terminate Process [PID=%d] succeeds!” fullword wide
$a2 = “TerminateProcess [PID=%d] Failed:%d” fullword wide
$a3 = “Close tcp connection returns: %d!” fullword wide
$a4 = “Delete Directory [%s] returns:%d” fullword wide
$a5 = “Delete Directory [%s] succeeds!” fullword wide
$a6 = “Create Directory [%s] succeeds!” fullword wide
$a7 = “SHFileOperation [%s] returns:%d” fullword wide
$a8 = “SHFileOperation [%s] succeeds!” fullword wide
$a9 = “Close tcp connection succeeds!” fullword wide
$a10 = “OpenProcess [PID=%d] Failed:%d” fullword wide
$a11 = “ShellExecute [%s] returns:%d” fullword wide
$a12 = “ShellExecute [%s] succeeds!” fullword wide
$a13 = “FindFirstFile [%s] Error:%d” fullword wide
$a14 = “Delete File [%s] succeeds!” fullword wide
$a15 = “CreateFile [%s] Error:%d” fullword wide
$a16 = “DebugAzManager” fullword ascii
$a17 = “Create Directroy [%s] Failed:%d” fullword wide
$m1 = “TCPx86.dll” fullword wide ascii
$m2 = “aria-body” nocase wide ascii
condition:
uint16(0) == 0x5A4D and
filesize < 450000 and
(2 of ($a*) and 1 of ($m*))
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
rule apt_ZZ_Naikon_ARstrings : Naikon { meta: copyright = “Kaspersky” description = “Rule to detect Naikon aria samples” hash = “2B4D3AD32C23BD492EA945EB8E59B758” date = “2020-05-07” version = “1.0” strings: $a1 = “Terminate Process [PID=%d] succeeds!” fullword wide $a2 = “TerminateProcess [PID=%d] Failed:%d” fullword wide $a3 = “Close tcp connection returns: %d!” fullword wide $a4 = “Delete Directory [%s] returns:%d” fullword wide $a5 = “Delete Directory [%s] succeeds!” fullword wide $a6 = “Create Directory [%s] succeeds!” fullword wide $a7 = “SHFileOperation [%s] returns:%d” fullword wide $a8 = “SHFileOperation [%s] succeeds!” fullword wide $a9 = “Close tcp connection succeeds!” fullword wide $a10 = “OpenProcess [PID=%d] Failed:%d” fullword wide $a11 = “ShellExecute [%s] returns:%d” fullword wide $a12 = “ShellExecute [%s] succeeds!” fullword wide $a13 = “FindFirstFile [%s] Error:%d” fullword wide $a14 = “Delete File [%s] succeeds!” fullword wide $a15 = “CreateFile [%s] Error:%d” fullword wide $a16 = “DebugAzManager” fullword ascii $a17 = “Create Directroy [%s] Failed:%d” fullword wide $m1 = “TCPx86.dll” fullword wide ascii $m2 = “aria-body” nocase wide ascii condition: uint16(0) == 0x5A4D and filesize < 450000 and (2 of ($a*) and 1 of ($m*)) } |
rule apt_ZZ_Naikon_codebase : Naikon
{
meta:
report = “Naikon New AR Backdoor Deployment to Southeast Asia”
description = “Naikon typo”
author = “Kaspersky”
copyright = “Kaspersky”
version = “1.0”
date = “2018-06-28”
last_modified = “2018-06-28”
strings:
$a1 = “Create Directroy [%s] Failed:%d” wide
condition:
uint16(0) == 0x5A4D and
filesize < 450000 and
$a1
}
Our colleagues at PCO have assembled an excellent collection of studies on some of Naikon’s airways and activities, which we discovered in 2017 and reported on similarly in 2018. In addition to the results of their research, we summarise some of the results reported in June 2018 and publish them: Parking a new Naikon AR back door in Southeast Asia. This malware and activity is much of what Checkpoint researchers have discovered today.
APP Naikon first came to light in May 2015, when our public announcement first reported on the Group’s long-term presence in the APAC region and then described it in detail. Even when, after years of campaigning, the group ended a large part of their successful offensive, Nikon maintained a few split campaigns. A comparison of malware artifacts, functionality and targeting shows that the group will continue to conduct cyber-espionage campaigns in the South China Sea region in 2018.
Aria-Body of AR is a set of backdoors that support compilation data between January 2017 and February 2018. It is particularly difficult to recognize because most of this code works in memory, which is entered by other components of the charger without touching the plate. We trace part of this code base back to the exe and dll xsFunction modules, which have been used in Nykon operations since 2012, because their compiled modules implement a subset of the xsFunction functions. These new back door and related activities are likely to constitute an expansion or merger with the group’s Paradir operation. In the past, the Group has dealt with confidential communications and information of executive and legislative bodies, law enforcement agencies, administrative, military and intelligence services of the government in South East Asia. In many cases we have seen that these systems have already been targeted by PlugX and other malware. In this way, the group has grown slightly since 2015 and activities aimed at the same profiles will continue in 2018. We have identified at least half a dozen individual options for 2017 and 2018.
Technical Information
Apparently, the same code base has been reused by Nykon at least since 2012, and the most recent AR rear doors have been constructed from the same code. Their efforts are tightly clustered in previous and highly focused organizations, which gives confidence in the bundling of these resources and activities with the former Naikon.
The new Naikon AR back door is a dll, which is loaded into one of the many processes and allows remote access to the system. Attempts to download ARs have been identified in the processes with the executable images given here:
- windowssystem32svchost.exe
- c:windowssyswow64svchost.exe
- c:program files- windows ntaccessoriesservices.exe
- c:usersdellappdataroamingmicrosoftwindowsstart menuprogrammstartupacrobat.exe
- c:alphazavgiishost.exe
Since this AR code is entered into the processes, the Yara rule in the application is better executed against the dumps in the memory of the processes that support the master image in the list above. AR modules have also been observed in several other, including msiexec.exe processes.
Below you will find the characteristics of the oldest and newest known part of our collection.
| MD5 | c766e55c48a4b2e7f83bfb8b6004fc51 |
| SHA256 | 357c8825b3f034145882715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4 |
| Compounded by | Tyu 3. January 09:23:48 2017 |
| Type | PE32-DLL |
| Internal name | TCPx86.dll |
| Size | 176kb |
| Exports | AzManager, DebugAzManager |
| MD5 | 2ce4d68a120d76e703298f27073e1682 |
| SHA256 | 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48ffffffffff5fca834efa117e5db |
| Compounded by | Make it 22. February 10:04:02 2018 |
| Type | PE32-DLL |
| Internal name | aria body-dllX86.dll |
| Size | 204kb |
| Exports | AzManager, DebugAzManager |
When the dll is loaded, it stores the Windows class that invokes a particular Windows procedure with a removable disk, the CONNECT proxy server on the main C2, the IP address verification with checkip.amazonaws[…]com, and the subsequent interaction with C2. The process of some of the previous modules may involve collecting more or less information about the system before the first recall.
The latest version of the rear door uses a different window procedure to set up a collector based on an input device with unprocessed impacts. This keylogger functionality was introduced in malicious code in February 2018 and was not present in earlier versions.
The approximately 200 to 250 kb family of AR blacktops offers a set of familiar and slightly changing functions for each compiled module. Since Checkpoint addresses the same technical issues in its message, we provide this simple checklist:
- Continuous treatment
- Processing files and folders
- Recording in Keyscape mode
- Shell/process control
- Network activity, status list and network management
- Collection and management of system information
- Download management
- Windows administration
- Proliferation management
- Location/IP verification
- Communication over HTTP network
Compliance with earlier parts of Nykon
The Naikon components, which date from 2012, retain strong similarities with the existing Aria construction modules. Not only have some functions changed only slightly, but the same printing errors in the error record remain in their code base. Check out the old Naikon 2013 module and the new Naikon AR 2017 module.
It is clear that the basic code base is always used:
e09254fa4398fccd607358b24b918b63, Compound: 2013:09:10 09:00:15
c766e55c48a4b2e7f83bf8b6004fc51, Compilation : 2017:01:03 09:23:48
We thank the PCO researchers for providing further details on the story with Naikon for the public discussion.
For your information, here is some hash and a YARA rule. More information on incidents, infrastructure, CIOs and more detailed information has been provided and is available to our clients working with threat information (contact us at [email protected]).
Compromise figures
AR aria body dll
c766e55c48a4b2e7f83bf8b6004fc51
2ce4d68a120d76e703298f27073e1682
Chargers and associated malware Naikon
0ed1fa2720cdab23d969e60035f05d92
3516960dd711b668783ada34286507b9
Reviews – 2018 and followingTrojan.Win32.Generic.genTrojan.Win32.SEPEH.genDangerousObject.Multi.GenericBackdoor.Win64.Agent.h*Backdoor.Win32.Agent.m*Auto loading Trojan.Win32.Agent.x*Auto loading Trojan.
JARA rules
Rule apt_ZZ_Naikon_ARstrings : Naikon
{
meta:
copyright = Kaspersky
description = Naikon
hash = 2B4D3AD32C23BD492EA945EB8E59B758
date = 2020-05-07
version = 1.0.
Strings:
$a1 = Process settlement [PID=%d] successful!
$a2 = Process settlement [PID=%d] failed:%d]
$a3 = Termination of tcp connection returned: %d! full word
$a4 = Directory [%s] will be returned:%d full word
$a5 = Directory [%s] will be deleted!
$a6 = Directory [%s] can be created!
$a7 = SHFileOperation [%s] is returned:%d
$a8 = SHFileOperation [%s] is successful!
$a9 = Terminate tcp connection successfully! full word
$a10 = Open process [PID=%d] Failed:%d full word
$a11 = ShellExecute [%s] return:%d full word
$a12 = ShellExecute [%s] is successful!
$a13 = First file search [%s] Error:%d
$a14 = Delete file [%s] successful!
$a15 = Create file [%s] Error:%d Wideband
$a16 = DebugAzManager Fulward ascii
$a17 = Create directroy [%s] Error:%d Fulward wider
m1 $ = TCPx86.dll Assault Width
$m2 = Assault Aria Body Assault Width
Status:
uint16(0) == 0x5A4D and
files size < 450000 and
(2 of ($a*) and 1 of ($m*))
}.
| 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
Rule apt_ZZ_Naikon_ARstrings : Naikon
{ Methamphetamine: Copyright = Kaspersky Description = Arias-Naikon sample recognition rule Diamond = 2B4D3AD32C23BD492EA945EB8E59B758 Date = 2020-05-07 Version = 1.0 the strings: a1 = Process processing [PID=%d] successful! a2 = end of process [PID=%d] Failure: %d completed $a3 = The tcp connection is closed: %d! $a4 = delete directory [%s] return: %d complete $a5 = Delete directory [%s] successfully! $a6 = Directory creation [%s] successful! a7 = SHFileOperation [%s] Returned:%d verbatim $a8 = SHFileOperation [%s] successful! $a9 = Close tcp connection successfully! a10 = Open process [PID=%d] Failure: %d Integer $a11 = ShellExecute [%s] will be returned: %d across the width. A12 = ShellExecution [%] successful! $a13 = FindFirstFile [%s] Error:%d complete $a14 = File [%s] successfully deleted! a15 = Create file [%s] Error:%d complete $a16 = DebugAzManager full word ascii a17 = Create Directroy [%s] Error:%d complete $m1 = TCPx86.dll ascii integer $m2 = Knockout aria body width acii Condition: uint16(0) == 0x5A4D and < 450000 and (2 of ($a*) and 1 of ($m*)). } |
Rule apt_ZZ_Naikon_Codebase : Naikon
{
meta:
report = Naikon New AR Backdoor Deployment to Southeast Asia
description = Naikon typo
author = Kaspersky
copyright = Kaspersky
version = 1.0
date = 2018-06-28
last_modified = 2018-06-28.
Channels:
$a1 = Create Directroy [%s] failed: %d Width
Status:
uint16(0) == 0x5A4D and
files < 450000 and
$a1
}.
| 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Rule apt_ZZ_Naikon_Codebase : Naikon
{ Methamphetamine: Feature = Nykon New AR’s Behind the Scenes Operation in Southeast Asia Description = Nykon error Author = Kaspersky Copyright = Kaspersky Version = 1.0 Date = 2018-06-28 last_modified = 2018-06-28 the strings: a1 = Create directroy [%s] Error:%d Width Condition: uint16(0) == 0x5A4D and < 450000 and $a1 } |
naikon apt,securelist definition,pla unit 78020
