Bitdefender analyses APT attack on Southeast Asian authorities

[German]How does cyber espionage work exactly? Security researchers at Bitdefender have examined a complex chain of attacks by APT hackers and describe the anatomy of such a cyber attack by an APT on Southeast Asian authorities.


Bitdefender's security researchers have analyzed a complex and targeted chain of attacks by organized APT hackers in more detail and were thus able to trace a sequence of cyber espionage in detail. Specifically, the attacks on governmental organizations in Southeast Asia, which have presumably been carried out since 2018, are the subject of this study.

The perpetrators presumably wanted to divert information regarding national security interests and other sensitive data and carry out industrial espionage. In a white paper, Bitdefender specialists present an in-depth analysis of the techniques used and their interplay, as well as a chronological outline of the chain of attack.

200 systems affected in the last two years

First indications of activities can be dated to November 2018. The main phase began at the beginning of 2019, with around 200 systems showing symptoms of attack in the first five months of the year. Apparently, the infrastructure set up for this purpose is currently not active, although a few elements are still in operation.

Infrastruktur für ATP-Angriff
Hong Kong was the center of the infrastructure for the APT attacks. Only one other server was located in Vietnam, China and South Korea.

Long-term infiltration of the infrastructure for espionage purposes

A comprehensive arsenal of droppers and tools such as the Backdoors Chinoxy, PCShare RAT and FunnyDream was used. Certain forensic artifacts point to highly specialized Chinese authors, such as Remote Access Trojans (RAT) or other resources used, whose origin is attributed to the People's Republic. Obviously, the authors are compromising domain controllers in the victims' network.


 Arsenal von Droppern und Tools
 Click to zoom, Installation of the PcMain payload for the remote access Trojan PCShare using the Chinoxy backdoor. Sustained control over systems by modifying a PCShare version available on GitHub.

The APT experts achieved their long-term presence in the networks through digitally signed binary files. These provided a gap to load a backdoor into memory via a sideload. In the next step, they were able to move around the network and gain long-term control over a large number of machines in the company's IT infrastructure. In this way they monitored the activities of the attacked organizations and exfiltrated information. 

The Bitdefender Threat Analysts' analysis is available in a white paper [PDF] for free download here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *