A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.Appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named  FunnyDream, targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam

Payloads has 3 malwares Chinoxy, PCShare, and FunnyDream

Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.

PCShare, known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.

FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.

funnydream-timeline-tools.png

“Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities,” using living of the land tools