According to researchers, the China-backed APT named Naikon (also known as ‘Override Panda’) has shown up again. The group masterminded a recent phishing campaign that was carried out to steal confidential information assets.
Also known as Hellsing, and Bronze Geneva, Naikon is a known nation-state actor that has been working on behalf of China since 2005. The group was first uncovered by Kaspersky during 2015 in an attack against governmental agencies surrounding the South China Sea.
A report published by Cluster25 has uncovered that the group has specifically targeted the governing bodies of countries belonging to the ASEAN union. The nations attacked are Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Vietnam.
“By observing Naikon APT’s hacking arsenal, it was concluded that this group tends to conduct long-term intelligence and espionage operations, typical for a group that aims to conduct attacks on foreign governments and officials.” said the report regarding the group’s modus operandi. “To avoid detection and maximize the result, it changed different TTPs and tools over time.”
For initial access, the group sends a spear phishing email containing a malicious office document (written in Chinese) to the victim’s address. Once opened, the document unleashes an attack that involves launching a shellcode using the HEXINI loader which subsequently injects the final beacon for the Viper red team tool.
Elaborating the Chinese connection, the report said that “during the analysis it was discovered part of Naikon APT arsenal. Starting from what we observed we can assert that this Chinese group is using open-source tools like Viper and ARL (Asset Reconnaissance Lighthouse). Both tools seem to be developed by a Chinese programmer, as most of their documentation is written in Mandarin.”
