# The Naikon APTThe Naikon APT
### Tracking Down Geo-Political Intelligence Across APAC, One Nation at a Time

###### By Kurt Baumgartner, Maxim Golovkin on May 14, 2015. 3:00 am


[PUBLICATIONS](https://securelist.com/all?category=159)


[APT](https://securelist.com/all?tag=538) [CYBER ESPIONAGE](https://securelist.com/all?tag=185) [SOCIAL ENGINEERING](https://securelist.com/all?tag=29) [TARGETED ATTACKS](https://securelist.com/all?tag=53)


[VULNERABILITIES AND EXPLOITS](https://securelist.com/all?tag=41)


Our recent report, “The Chronicles of the Hellsing APT: the

Empire Strikes Back” began with an introduction to the Naikon

APT, describing it as “One of the most active APTs in Asia,

especially around the South China Sea”. Naikon was mentioned

because of its role in what turned out to be a unique and

surprising story about payback. It was a Naikon attack on a

Hellsing-related organization that first introduced us to the

Hellsing APT. Considering the volume of Naikon activity observed

and its relentless, repeated attack attempts, such a confrontation

was worth looking into, so we did.

##### The #NaikonAPT group was spear
[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+%23NaikonAPT+group+was+spear-phished+by+an+actor+we+now+call+%22Hellsing%22) phished by an actor

##### we now call "Hellsing"

The Naikon APT aligns with the actor our colleagues at FireEye

[recently revealed to be APT30, but we haven’t discovered any](https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf)

exact matches. It is hardly surprising that there is an element of

overlap, considering both actors have for years mined victims in

the South China Sea area, apparently in search of geo-political

intelligence.


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+%23NaikonAPT+group+was+spear-phished+by+an+actor+we+now+call+%22Hellsing%22)


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+%23NaikonAPT+group+was+spear-phished+by+an+actor+we+now+call+%22Hellsing%22)


##### The #NaikonAPT


-----

##### mined victims, apparently in search of geo-political intelligence


This Naikon report will be complemented by a follow-on report

that will examine the Naikon TTP and the incredible volume of

attack activity around the South China Sea that has been going

on since at least 2010.

Noteworthy operational and logistical characteristics of this APT

include:

At least five years of high volume, high profile, geo-political

attack activity

Geographical focus – per-country, individual operator

assignment and proxy presence

Dynamic, well organized infrastructure

Reliance on an externally developed, consistent set of tools

comprising a full-featured backdoor, a builder, and an exploit

builder

High success rate in infiltrating national organisations in

ASEAN countries

## Highly Focused and EffectiveHighly Focused and Effective Around the South China SeaAround the South China Sea

In the spring of 2014, we noticed an increase in the volume of

attack activity by the Naikon APT. The attackers appeared to be

Chinese-speaking and targeted mainly top-level government

agencies and civil and military organizations in countries such as

the Philippines, Malaysia, Cambodia, Indonesia, Vietnam,

Myanmar, Singapore, Nepal, Thailand, Laos and China.


-----

## DecoyDecoy

An attack typically starts with an email carrying an attachment that

contains information of interest to the potential victim. The

document may be based on information from open sources or on

proprietary information stolen from other compromised systems.

This bait “document”, or email attachment, appears to be a

standard Word document, but is in fact an CVE-2012-0158

exploit, an executable with a double extension, or an executable

with an RTLO filename, so it can execute code without the user’s

knowledge or consent. When the executable is launched,

spyware is installed on the victim computer at the same time as a

decoy document is displayed to the user; fooling them into

thinking they have simply opened a document.

## ConfigurationConfiguration


-----

, y, g j

into the browser along with configuration data. With the help of a

start-up module, this whole file is injected into the browser

memory and decrypts the configuration block containing the

following:

C&C server

Ports and path to the server

User-agent string

Filenames and paths to its components

Hash sums of the user API functions

The same code then downloads its main body from the C&C

server using the SSL protocol, loads it independently from the

operating system functions and, without saving it to the hard

drive, hands over control to the XS02 function. All functionality is

handled in memory.


-----

The main module is a remote administration utility. Using SSL, the

module establishes a reverse connection to the C&C server as

follows: it sets up an outgoing connection to the C&C server and

checks if there is a command that it should execute. If there is, it

executes the command and returns the result to the C&C. There

are 48 commands in the module’s repertoire, which a remote

operator can use to effectively control the victim computer. This

includes taking a complete inventory, downloading and uploading

data, installing add-on modules, or working with the command

line.

##### The main module supports 48

[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+main+module+supports+48+commands%2C+which+the+attackers+can+use+to+control+the+victim+machine+%23NaikonAPT) commands, which the

##### attackers can use to control the victim machine #NaikonAPT

Here is the complete list of commands:

0 CMD_MAIN_INFO

1 CMD_PROCESS_REFRESH

2 CMD_PROCESS_NAME

3 CMD_PROCESS_KILL

4 CMD_PROCESS_MODULE

5 CMD_DRIVE_REFRESH

6 CMD_DIRECTORY

7 CMD_DIRECTORY_CREATE

8 CMD_DIRECTORY_CREATE_HIDDEN

9 CMD_DIRECTORY_DELETE

10 CMD_DIRECTORY_RENAME

11 CMD_DIRECOTRY_DOWNLOAD


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+main+module+supports+48+commands%2C+which+the+attackers+can+use+to+control+the+victim+machine+%23NaikonAPT)


-----

13 CMD_FILE_DELETE

14 CMD_FILE_RENAME

15 CMD_FILE_EXECUTE_NORMAL

16 CMD_FILE_EXECUTE_HIDDEN

17 CMD_FILE_EXECUTE_NORMAL_CMD

18 CMD_FILE_EXECUTE_HIDDEN_CMD

19 CMD_FILE_UPLOAD

20 CMD_FILE_DOWNLOAD

21 CMD_WINDOWS_INFO

22 CMD_WINDOWS_MESSAGE

23 CMD_SHELL_OPEN

24 CMD_SHELL_CLOSE

25 CMD_SHELL_WRITE

26 CMD_SERVICE_REFRESH

27 CMD_SERVICE_CONTROL

28 CMD_PROGRAM_INFO

29 CMD_UNINSTALL_PROGRAM

30 CMD_REGESTRY_INFO

31 CMD_ADD_AUTO_START

32 CMD_MY_PLUGIN

33 CMD_3RD_PLUGIN

34 CMD_REG_CREATEKEY

35 CMD_REG_DELETEKEY

36 CMD_REG_SETVALUE

37 CMD_REG_DELETEVALUE

38 CMD_SELF_KILL

39 CMD_SELF_RESTART

40 CMD_SELF_CONFIG

41 CMD_SELF_UPDATE

42 CMD_SERVER_INFO

43 CMD_INSTALL_SERVICE

44 CMD_FILE_DOWNLOAD2

45 CMD RESET


-----

50 CMD_HEART_BEAT

Several modifications of the main module exist. There are no

fundamental differences between modifications; it’s just that extra

features get added to the latest versions, such as compression

and encryption of transmitted data, or the piecemeal download of

large files.

Aug 23


d085ba82824c1e61e93e113a705b8e9a 118272

b4a8dc9eb26e727eafb6c8477963829c 140800

172fd9cce78de38d8cbcad605e3d6675 118784

d74a7e7a4de0da503472f1f051b68745 190464

93e84075bef7a11832d9c5aa70135dc6 154624

## CC-Proxy-OpCC-Proxy-Op


18:46:57

2012

May 20

11:56:38

2013

Jun 13

12:14:40

2013

Aug 19

05:30:12

2013

Jan 07

04:39:43

2014


C&C server operations are characterized by the following:

Low maintenance requirements

Organized geo-specific task assignments

Different approaches to communication

The C&C servers must have required only a few operators to

manage the entire network. Each operator appears to have

focused on their own particular set of targets, because a

correlation exists between C&C and the location of

targets/victims.


-----

##### specific correlation between the location of #NaikonAPT C&Cs and that of targets/victims


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=There+is+a+geo-specific+correlation+between+the+location+of+%23NaikonAPT+C%26amp%3BCs+and+that+of+targets%2Fvictims)


Communication with victim systems changed depending on the

target involved. In some cases, a direct connection was

established between the victim computer and the C&C. In other

cases, the connection was established via dedicated proxy

servers installed on dedicated servers rented in third countries. In

all likelihood, this additional setup was a reaction to the network

administrators in some targets limiting or monitoring outbound

network connections from their organizations.

Here is a partial list of C&C servers and victim locations,

demonstrating the geo-specific correlation:

ID Jakarta linda.googlenow.in

ID Jakarta admin0805.gnway.net

ID Jakarta free.googlenow.in

ID frankhere.oicp.net

ID Bandung frankhere.oicp.net

ID Bandung telcom.dhtu.info

ID Jakarta laotel08.vicp.net

JP Tokyo greensky27.vicp.net

KH googlemm.vicp.net

KH Phnom Penh googlemm.vicp.net

MM peacesyou.imwork.net

MM sayakyaw.xicp.net

MM ubaoyouxiang.gicp.net

MM Yangon htkg009.gicp.net

MM kyawthumyin.xicp.net


-----

MM test-user123.vicp.cc

MY us.googlereader.pw

MY net.googlereader.pw

MY lovethai.vicp.net

MY yahoo.goodns.in

MY Putrajaya xl.findmy.pw

MY Putrajaya xl.kevins.pw

PH Caloocan oraydns.googlesec.pw

PH Caloocan gov.yahoomail.pw

PH pp.googledata.pw

PH xl.findmy.pw

PH mlfjcjssl.gicp.net

PH o.wm.ggpw.pw

PH oooppp.findmy.pw

PH cipta.kevins.pw

PH phi.yahoomail.pw

SG Singapore xl.findmy.pw

SG Singapore dd.googleoffice.in

VN Hanoi moziliafirefox.wicp.net

VN Hanoi bkav.imshop.in

VN Hanoi baomoi.coyo.eu

VN Dong Ket macstore.vicp.cc

VN Hanoi downloadwindows.imwork.net

VN Hanoi vietkey.xicp.net

VN Hanoi baomoi.vicp.cc

VN Hanoi downloadwindow.imwork.net

VN Binh Duong www.ttxvn.net

VN Binh Duong vietlex.gnway.net

VN Hanoi www.ttxvn.net

VN Hanoi us.googlereader.pw

VN Hanoi yahoo.goodns.in

VN Hanoi lovethai.vicp.net

VN Hanoi vietlex gnway net


-----

## XSControl – the Naikon APT sXSControl – the Naikon APT s “victim management software”“victim management software”

In the Naikon scheme, a C&C server can be specialized

XSControl software running on the host machine. It can be used

to manage an entire network of infected clients. In some cases, a

proxy is used to tunnel victim traffic to the XSControl server. A

Naikon proxy server is a dedicated server that accepts incoming

connections from victim computers and redirects them to the

operator’s C&C. An individual Naikon proxy server can be set up

in any target country with traffic tunnelling from victim systems to

the related C&C servers.

XSControl is written in .NET with the use of DevExpress:


-----

Its main capabilities are:

Accept initial connections from clients

Provide clients with the main remote administration module

Enable them to remotely administer infected computers with

the help of a GUI

Keep logs of client activity

Keep logs of operator activity

Upload logs and files to an FTP server

The operator’s activity logs contain the following:

An XML database of downloaded files, specifying the time of

operation, the remote path and the local path

A database of file names, the victim computer registry keys for

the folders and requested sections

A history of executed commands

## Country X, Operator XCountry X, Operator X


-----

y

Analysis revealed that the cyber-espionage campaign against

country X had been going on for many years. Computers infected

with the remote control modules provided attackers with access to

employees’ corporate email and internal resources, and access to

personal and corporate email content hosted on external services.

Below is a partial list of organizations affected by Naikon’s

“operator X’s” espionage campaign in country X.

Office of the President

Military Forces

Office of the Cabinet Secretary

National Security Council

Office of the Solicitor General

Intelligence Services

Civil Aviation Authority

Department of Justice

Federal Police

Executive/Presidential Administration and Management Staff

A few of these organizations were key targets and under

continuous, real-time monitoring. It was during operator X’s

network monitoring that the attackers placed Naikon proxies

within the countries’ borders, to cloak and support real-time

outbound connections and data exfiltration from high-profile victim

organizations.

In order to obtain employees’ credentials, operator X sometimes

used keyloggers. If necessary, operator X delivered them via the

remote control client. In addition to stealing keystrokes, this

attacker also intercepted network traffic. Lateral movements

included copying over and remotely setting up winpcap across

desktop systems within sensitive office networks, then remotely

setting up AT jobs to run these network sniffers. Some APTs like

Naikon distribute tools such as these across multiple systems in

order to regain control if it is lost accidentally and to maintain

persistence.


-----

##### group took advantage of cultural idiosyncrasies in its target countries


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+%23NaikonAPT+group+took+advantage+of+cultural+idiosyncrasies+in+its+target+countries)


Operator X also took advantage of cultural idiosyncrasies in its

target countries, for example, the regular and widely accepted use

of personal Gmail accounts for work. So it was not difficult for the

Naikon APT to register similar-looking email addresses and to

spear-phish targets with attachments, links to sites serving

malware, and links to google drive.

## The empire strikes backThe empire strikes back

Every once in a while the Naikon group clashes with other APT

groups that are also active in the region. In particular, we noticed

that the Naikon group was spear-phished by an actor we now call

“Hellsing”. More details about the cloak and dagger games

between Naikon and Hellsing can be found in our blogpost: “The

Chronicles of the Hellsing APT: The Empire Strikes Back“.

#### Related ArticlesRelated Articles


###### HOW EXPLOITHOW EXPLOIT


###### MICROSOFTMICROSOFT


###### IT THREATIT THREAT


###### SECURITYSECURITY UPDATES MAYUPDATES MAY 20152015


###### HOW EXPLOITHOW EXPLOIT


###### IT THREATIT THREAT


[Tweet](https://twitter.com/share?url=https%3A%2F%2Fsecurelist.com%2Fanalysis%2Fpublications%2F69953%2Fthe-naikon-apt%2F&text=The+%23NaikonAPT+group+took+advantage+of+cultural+idiosyncrasies+in+its+target+countries)


###### EVOLUTION INEVOLUTION IN Q1 2015Q1 2015


###### MICROSOFTMICROSOFT


###### PACKS AREPACKS ARE CONCEALED INCONCEALED IN A FLASH OBJECTA FLASH OBJECT


###### A FLASH OBJECTA FLASH OBJECT


###### CONCEALED INCONCEALED IN


###### EVOLUTION INEVOLUTION IN


###### UPDATES MAYUPDATES MAY


###### PACKS AREPACKS ARE


###### SECURITYSECURITY


###### Q1 2015Q1 2015


###### 20152015


-----