Threat actor dubbed “Naikon APT,” laid out the ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named “Nebulae” and “RainyDay” into their data-stealing missions.

Alleged to be tied to China, Naikon has a track record of targeting government entities in APAC region in search of geopolitical intelligence.Evidence emerged to the contrary last May when the adversary was spotted using a new backdoor called “Aria-Body” to stealthily break into networks and leverage the compromised infrastructure as a command-and-control (C2) server to launch additional attacks against other organizations.

The new wave of attacks identified by Bitdefender employed RainyDay as the primary backdoor, with the actors using it to conduct reconnaissance, deliver additional payloads, perform lateral movement across the network, and exfiltrate sensitive information. The backdoor was executed by means of a technique known as DLL side-loading, which refers to the tried-and-tested method of loading malicious DLLs in an attempt to hijack the execution flow of a legitimate program like Outlook Item Finder.

As an extra precaution, the malware also installed a second implant called Nebulae to amass system information, carry out file operations, and download and upload arbitrary files from and to the C2 server. “The second backdoor […] is supposedly used as a measure of precaution to not lose the persistence in case any signs of infections get detected,” the researchers said.

Other tools deployed by the RainyDay backdoor include a tool that picks up recently changed files with specific extensions and uploads them to Dropbox, a credential harvester, and various networking utilities such as NetBIOS scanners and proxies.