Researchers have uncovered a new China-linked cyber espionage group, tracked as FunnyDream that has already infected more than 200 systems across Southeast Asia over the past two years.
Targeting Malaysia, Taiwan Philippines and Vietnam, the group has most exploited the Vietnamese government. The group focuses on foreign government organizations of countries in Southeast Asia. The group ensures to stay present in the victim’s network for as long as possible, to spy on victims’ activities and to exfiltrate sensitive documents, with a special interest in national security and industrial espionage.
The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chineseactor.
The attack begins with the execution of the Chinoxy backdoor to gain persistence in the victim’s system after initial access.
The Chinoxy dropper uses a digitally signed binary (Logitech Blutooth Wizard Host Process) to evade detection and exploit a Side Loading attack to load the backdoor dll into the memory.
Then the backdoor deploys the open source Chinese RAT called PcShare, it was used for gathering intelligence from the infected hosts.
FunnyDream is a custom-made backdoor that supports advanced persistence and communication capabilities, it was used by the APT group to gathering intelligence and data exfiltration.