Chinese APT FunnyDream Runs Riot in Southeast Asia

Chinese APT FunnyDream Runs Riot in Southeast Asia

Security researchers have uncovered another Chinese APT group, this time targeting southeast Asian governments, which has compromised over 200 machines in the past two years.

Bitdefender dubbed the group “FunnyDream” after one of the backdoors used in the attacks. It appears to have been active since at least 2018.

Focused on exfiltrating sensitive information, it uses spyware tools such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on victim machines.

Although the initial threat vector isn’t known, Bitdefender claimed it is likely to be a phishing email. Three backdoors are then used for command and control (C&C): Chinoxy to gain persistence after initial access, open source RAT PcShare for complex espionage and the custom made FunnyDream toolkit.

Controlling the three backdoors is C&C infrastructure located mainly in Hong Kong, but also elsewhere in China and Vietnam.

Although 200 systems have shown signs of infection so far, Bitdefender warned that in some victim networks the domain controllers may have been compromised, allowing attackers to move laterally and gain control over a large number of machines.

“Attributing APT style attacks to a particular group or country can be extremely difficult — as false-flag forensic artifacts can be manufactured, C&C infrastructure can reside anywhere in the world and the tools used can be repurposed from other APT groups,” the vendor said.

“However, evidence suggests a Chinese-speaking APT group using Chinese language binaries, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors.”

The specific target governments were not named in the report, although China has tense relations with many countries that border the South China Sea due to territorial claims and other geopolitical disputes.

Leave a Reply

Your email address will not be published. Required fields are marked *