Naikon APT Group is now using Nebulae Backdoor

[dEEpEst]

Naikon APT Group is now using Nebulae Backdoor

_________________________________

Hey Learners We Are Back with Another Awsm Things , And Sorry about discontinuing Consistency Of Articles 

Naikon , A cyberespionage group from China, has been actively employing a new backdoor for multiple cyberespionage operations targeting military organizations in Southeast Asia. The backdoor, identified as Nebulae, is used for gaining persistence on infected systems.

What has been Discovered ?

A Malicious Activity was conducted by Naikon APT between June 2019 and March 2021.

At the beginning of its operation in 2019, the APT had used the Aria-Body loader and Nebulae as the first stage of the attack.

Starting September 2020, the APT group included the RainyDay backdoor in its toolkit, while the attribution to Naikon is based on C2 servers and artifacts utilized in its attacks.

The APT group now delivers RainyDay (aka FoundCore) as a first-stage payload to propagate second-stage malware and tools, including the Nebulae backdoor.

What is Nebulae ?

☆It has the ability to collect LogicalDrive info, manipulate files and folders, download and upload files from and to the C2 server, and terminate/list/execute processes on infected devices.

☆In addition, the malware adds a registry key that automatically runs the malicious code on system reboots after login. It is used as a backup access point for the victim in case of an adverse scenario for actors.

Conclusion :
Naikon APT group has been running the operation silently for two years and has launched multiple cyberespionage operations. Moreover, the group has been active since 2010 and still poses a severe threat to several military organizations in Southeast Asia. Thus, security agencies and professionals need to keep a strict eye on this threat.