How can we help?
Security researchers from BitDefender have uncovered an increasingly popular backdoor being utilised by the Naikon APT (Advanced Persistent Threat) group. This backdoor has been dubbed ‘Nebulae’ and is a post-exploitation persistence measure employed by the threat actors. The presence of Nebulae has also been noted to coincide with another backdoor used by the threat actors which is known as ‘RainyDay’.
The Naikon APT group have been attributed to campaigns targeting high profile organisations, including government departments and military organisations.
The Nebulae backdoor provides a range of functionality to the threat actors including the abilities to:
– Retrieve Logical Drive information from affected hosts, this includes information such as the drive type or free space available.
– Read, write or delete files and directories on the affected host.
– Download and upload files to and from the command and control (C2) servers.
– The ability to list, execute or terminate processes on affected hosts.
There is no vulnerability associated to this threat: this is due to the Nebulae backdoor being a second stage post-exploitation payload. However, the threat actors target and/or utilise the software listed below.
The following are known targets leveraged by the threat actors:
ARO 2012 Tutorial 22.214.171.124
VirusScan On-Demand Scan Task Properties (McAfee, Inc.)
Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D)
Outlook Item Finder 11.0.5510 (Microsoft Corporation)
Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.)
Containment, Mitigations & Remediations
Application of all available updates to affected software versions when these become available.
Network monitoring should be employed to monitor for network traffic to known C2 servers.
Regular host-based anti-malware scanning with the latest signature updates should be undertaken, with alerts being monitored against files with the hash values of known IOCs.
If any of the IOC’s have been detected on a host then compromise should be assumed, and incident response initiated. The Nebulae backdoor is a second stage payload deployed by the threat actors post exploitation for the purposes of persistence.
Indicators of Compromise
Traffic communicating to the following C2 server IP addresses:
The presence of any of the below files with hash value:
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad VirusScan On-Demand Scan Task Properties
b7011dc545a20049efb67f0fbc37aff3cae226a38370dcb79513ba472ec712bb dll.exe (persistence installer for dot1.dll)
54738bb403a25b005bf145d4ed2a3719b0c4869360eb82776171c1b6d5ec0952 dot1.dll (Nebulae)
0c438622b62bf03a33e3e25d3ff1afea740111c2d90a2b9659eddd7a5021cd5d nta.dll (Nebulae)
2181fdf09d22e0b55db7e70914eec71ff98d55f0f4899a9f5ef9dba1f2ad9792 vsodscpl.dll (Nebulae)
ee9f11a530df4950981daea65dc029e05f76516d2ac9ce4541ccf89a44e26285 vsodscpl.dll (Nebulae)
c5c39979728f635b324dfcb7e32cbd6c4cc877ff4f9bd39113c7a2722f49d399 vsodscpl.dll (Nebulae)
592c36bc4117f150f8fce1b54d064eb14bd3236b3f729ba12750aed3bb6006b4 nta.dll (Nebulae)
The Naikon APT group primarily target high profile organisations, government departments and military organisations. As the Nebulae backdoor is one of the second stage payloads deployed by the threat actors, compromise should be assumed upon detection.
Mitre Framework Mapping
Command and Scripting Interpreter (T1059)
Hidden Files and Directories (T1564.001)
File and Directory Permissions Modification (T1222)
Hijack Execution Flow: DLL Side-Loading (T1574.002)
Indicator Removal on Host: File Deletion (T1070.004)
Match Legitimate Name or Location (T1036.005)
System Information Discovery (T1082)
System Owner/User Discovery (T1033)
File and Directory Discovery (T1083)
Process Discovery (T1057)
Command and Control:
Data Obfuscation (T1001)
Exfiltration: Exfiltration Over C2 Channel (T1041)
Bitdefender – New Nebulae Backdoor Linked with the NAIKON Group
Bitdefender Whitepaper: NAIKON – Traces from a Military Cyber-Espionage Operation
Security Affairs – Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs