I am sure everyone reading this post has had a dream where you wake up laughing. You sit on the edge of your bed and think about what was so funny that made you laugh. Well a recently identified Chinese hacking group called ‘FunnyDream’ (FD) ain’t so funny. In fact, FD has targeted over 200 government units in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign. This according to research from the security firm Bitdefender. The FunnyDream campaign, active since 2018, mainly targets organizations conducting reconnaissance, gather data and documents and then exfiltrate the information. This is not good for any government. Researchers explain that many of the command-and-control servers associated with this campaign are inactive, although some remain operational.
Based on FD’s use of malware previously linked to other Chinese advanced persistent threat groups (APT) and the concentration of the targets around Southeast Asia, this group is likely part of Chinese-state sponsored espionage activities intended to further the country's geopolitical interests. Countries in Southeast Asian have long been a Chinese interest. "Attack artifacts shows signs of a Chinese APT group that we believe to be state-sponsored," says a researcher with Bitdefender. "Geopolitical tensions in the region are always present, and information exfiltrated by an APT campaign can yield commercial and military advantages to various adversaries and could compromise government actors should embarrassing political or personal information be revealed."
The recent findings detected malware infrastructure used by this group in Hong Kong, South Korea and Vietnam. Of recent note, Vietnam, a communist country, is not real happy with China. Researchers at Kaspersky also found traces of malware and other malicious tools associated with FD used in campaigns that targets organizations in Malaysia, Taiwan, the Philippines and Vietnam. FD became active in late 2018 and has targeted more than 200 victims in 2 years. In these the hackers mainly use a combination of three malware variations: Chinoxy, PCShare and FunnyDream. These malware strains are then used in spying attacks, backdoors, to achieve persistence within devices and networks / document collection.
The FD backdoor, which comes with a number of capabilities to amass personal information, clear traces of malware deployment, thwart detection and execute malicious instructions, the outcomes of which had been transmitted again to command-and-control (C2) servers located in Hong Kong, China, South Korea, and Vietnam. “Attributing APT model assaults to a specific group or nation will be extraordinarily tough, largely as a result of forensic artefacts can typically be planted deliberately, C2 infrastructure can reside anyplace on the earth, and the instruments used will be repurposed from different APT teams,” the researchers warned.
Bitdefender says that the hacking group uses distributed command-and-control servers for each of the backdoors to help evade detection. "The distributed [command-and-control] infrastructure primarily controls the three backdoors," the report says. "Having [command-and-control] infrastructure in the same region as the likely attack targets tends to draw less suspicion to the IP traffic than remote communications from outside the region."
Figure 1. Bitdefender
FD also employs other malicious tools, such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on the victims' systems. Once the attackers infect a victim's device, FD proceeds to compromise the domain controllers within the victim's network for lateral movement. The attackers then attempt to gain control over numerous devices within that victim's network.
This report did not explain how these initial attacks against targeted networks began, such as whether the hackers used social engineering lures in phishing emails as part of the initial compromise or took advantage of vulnerabilities in applications or devices.
Bitdefender cautions FD ‘could’ be a Chinese state-sponsored entity based on its use of Chinese language binaries and the Chinoxy backdoor, a remote access Trojan known to have been used by Chinese-speaking threat actors during previous campaigns. Chinoxy, which other security researchers have linked to another Chinese APT group called "Roaming Tiger," has been active since 2014 and targeted defense organizations, critical infrastructure and universities throughout east Asian countries.
In March 2020, independent security researcher Sebdraven, who has been tracking Chinoxy's activities, says the malware was being spread as malicious documents in a COVID-19 themed phishing campaign. A popular lure since the Spring of 2020.
Red Sky Alliance has been tracking Chinese APT and lower tier threat actors for years. Throughout our research we have painfully learned through our clients at the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941