Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]

ID: G0019
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.0
Created: 31 May 2017
Last Modified: 19 August 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Naikon has modified a victim's Windows Run registry to establish persistence.[4]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[5]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.[4]

.005 Masquerading: Match Legitimate Name or Location

Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[4]

Enterprise T1046 Network Service Scanning

Naikon has used the LadonGo scanner to scan target networks.[4]

Enterprise T1137 .006 Office Application Startup: Add-ins

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[5]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Naikon has used malicious e-mail attachments to deliver malware.[5]

Enterprise T1018 Remote System Discovery

Naikon has used a netbios scanner for remote machine identification.[4]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Naikon has used schtasks.exe for lateral movement in compromised networks.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[2]

Enterprise T1016 System Network Configuration Discovery

Naikon uses commands such as netsh interface show to discover network interface settings.[2]

Enterprise T1204 .002 User Execution: Malicious File

Naikon has convinced victims to open malicious attachments to execute malware.[5]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Naikon has used administrator credentials for lateral movement in compromised networks.[4]

Enterprise T1047 Windows Management Instrumentation

Naikon has used WMIC.exe for lateral movement.[4]

Software

ID Name References Techniques
S0456 Aria-body [5][4] Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0095 FTP [2] Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
S0061 HDoor [2] Impair Defenses: Disable or Modify Tools, Network Service Scanning
S0630 Nebulae [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Native API, Non-Application Layer Protocol, Process Discovery, System Information Discovery
S0039 Net [2][4] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [2] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0097 Ping [2][4] Remote System Discovery
S0029 PsExec [2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0629 RainyDay [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Fallback Channels, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Proxy, Scheduled Task/Job: Scheduled Task, Screen Capture, System Service Discovery
S0055 RARSTONE [2][1] File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Injection: Dynamic-link Library Injection
S0058 SslMM [2][1] Access Token Manipulation, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Fallback Channels, Impair Defenses: Disable or Modify Tools, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, System Information Discovery, System Owner/User Discovery
S0060 Sys10 [2] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Permission Groups Discovery: Local Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096 Systeminfo [2] System Information Discovery
S0057 Tasklist [2] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0059 WinMM [2][1] Application Layer Protocol: Web Protocols, Fallback Channels, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery

References