1. Home
  2. Groups
  3. Naikon

Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]

ID: G0019
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.0
Created: 31 May 2017
Last Modified: 19 August 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Naikon has used WMIC.exe for lateral movement.[4]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.[4]
.005 伪装: Match Legitimate Name or Location

Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[4]
Enterprise T1137 .006 办公应用启动: Add-ins

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[5]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Naikon has modified a victim's Windows Run registry to establish persistence.[4]
Enterprise T1078 .002 有效账户: Domain Accounts

Naikon has used administrator credentials for lateral movement in compromised networks.[4]
Enterprise T1204 .002 用户执行: Malicious File

Naikon has convinced victims to open malicious attachments to execute malware.[5]
Enterprise T1016 系统网络配置发现

Naikon uses commands such as netsh interface show to discover network interface settings.[2]
Enterprise T1046 网络服务发现

Naikon has used the LadonGo scanner to scan target networks.[4]
Enterprise T1518 .001 软件发现: Security Software Discovery

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[2]
Enterprise T1018 远程系统发现

Naikon has used a netbios scanner for remote machine identification.[4]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Naikon has used malicious e-mail attachments to deliver malware.[5]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Naikon has used schtasks.exe for lateral movement in compromised networks.[4]

Software

ID Name References Techniques
S0456 Aria-body [5][4] 从可移动介质获取数据, 代理, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据, 文件和目录发现, 本机API, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 访问令牌操控: Create Process with Token, 访问令牌操控: Token Impersonation/Theft, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 非应用层协议
S0095 ftp [2] 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0061 HDoor [2] 妨碍防御: Disable or Modify Tools, 网络服务发现
S0630 Nebulae [4] 从本地系统获取数据, 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 本机API, 移除指标: File Deletion, 系统信息发现, 输入工具传输, 进程发现, 非应用层协议
S0039 Net [2][4] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0108 netsh [2] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0097 Ping [2][4] 远程系统发现
S0029 PsExec [2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0629 RainyDay [4] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 代理, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 回退信道, 屏幕捕获, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统服务发现, 输入工具传输, 进程发现, 通过网络服务渗出: Exfiltration to Cloud Storage, 非应用层协议, 预定任务/作业: Scheduled Task
S0055 RARSTONE [2][1] 文件和目录发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 非应用层协议
S0058 SslMM [2][1] 伪装: Match Legitimate Name or Location, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 回退信道, 妨碍防御: Disable or Modify Tools, 系统信息发现, 系统所有者/用户发现, 访问令牌操控, 输入捕获: Keylogging
S0060 Sys10 [2] 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols, 权限组发现: Local Groups, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现
S0096 Systeminfo [2] 系统信息发现
S0057 Tasklist [2] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S0059 WinMM [2][1] 回退信道, 应用层协议: Web Protocols, 文件和目录发现, 系统信息发现, 系统所有者/用户发现, 进程发现

References

  1. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.
  2. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  3. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.
  1. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  2. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.