Researchers have unveiled that attacks on Government sectors in South East Asia that has reportedly infected more than 200 systems were carried out by a Chinese APT Group called FunnyDream over the past two years.
These attacks were part of the cyber campaign that was brought by a group of Threat Actors called FunnyDream. It has been revealed by another security firm that FunnyDream’s targets are in countries like Malaysia, Taiwan, the Philippines, and most of them are in Vietnam.
FunnyDream Group is reportedly still on the move, and as per the security firm’s investigation, they are primarily interested in cyber-espionage that aims to illegally obtain sensitive documents that focus on national security and cyber-espionage.
Investigation of the researchers has proven that not only 200 machines were targeted but evidence shows that these Threat actors have compromised domain controllers on their victim’s network, which allowed them to execute the attacks laterally and eventually gaining full control of targeted systems.
There is no evidence as to how the infection happened, although the researchers have suspected that Social Engineer attacks were used to trick their victims into launching malicious files.
Multiple tools were discovered that were deployed by FunnyDream on the infected systems, some of which are Chinoxy Backdoor, Chinese Remote Access Trojan (RAT) called PcShare.
Several command-line utilities were also discovered that were installed to accumulate sensitive files, log keystrokes and exfiltrate gathered information to an infected server.
It has also been discovered the use of FunnyDream Backdoor since May 2019. This is equipped with multiple functions to accumulate data, removes traces of malware distribution, ability to thwart detection and execution of mischievous commands which sends out the result to the Command and Control (C&C) servers in Hong Kong, China, South Korea, and Vietnam.
As per the researcher’s scrutiny as well, some forensic artifacts suggest a Chinese-speaking APT Group because approximately of the resources that were discovered, their binaries were transcribed in the Chinese language, and the Chinoxy Backdoor was previously known to have been utilized by Chinese-speaking Cyber Criminals.