A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions

Bitdefender researchers have recently investigated a complex and targeted espionage attack on potential government sector victims in South East Asia, carried out by a sophisticated Chinese APT group. The operation dates back to late 2018, with current forensic evidence following the attack timeline up to 2020. This research focuses on dissecting an APT attack and

Bitdefender researchers have recently investigated a complex and targeted espionage attack on potential government sector victims in South East Asia, carried out by a sophisticated Chinese APT group. The operation dates back to late 2018, with current forensic evidence following the attack timeline up to 2020.

This research focuses on dissecting an APT attack and providing a full report on the tools, tactics and techniques used by the sophisticated group during the attack.

While the incident has been mentioned by other security researchers, Bitdefender’s investigation focuses on offering a detailed timeline of the attack by piecing all the forensic evidence together and creating a case study example. The report also provides a technical analysis of the tools used in this targeted attack and how the components were tied to each other

The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor. Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese. The FunnyDream backdoor is far more complex than the others, implementing a wide range of persistence mechanism and a large number of droppers, suggesting it’s custom-made.

Key Findings:

  • Potential Chinese APT group targeting a South East Asian government
  • Persistence through digitally signed binaries vulnerable to side-loading a backdoor into memory
  • Extensive custom toolset for data exploration and exfiltration
  • Three backdoors used (Chinoxy, PcShare, FunnyDream)
  • Potentially compromised domain controllers, gaining control over the victim’s network
  • First detailed timeline of this attack and the tools, tactics and techniques used
  • Around 200 machines showed signs of having various tools associated with the APT group

Download the whitepaper