Nebulae backdoor

Overview

Security researchers from BitDefender have uncovered an increasingly popular backdoor being utilised by the Naikon APT (Advanced Persistent Threat) group. This backdoor has been dubbed ‘Nebulae’ and is a post-exploitation persistence measure employed by the threat actors. The presence of Nebulae has also been noted to coincide with another backdoor used by the threat actors which is known as ‘RainyDay’.

The Naikon APT group have been attributed to campaigns targeting high profile organisations, including government departments and military organisations.

Impact

The Nebulae backdoor provides a range of functionality to the threat actors including the abilities to:

– Retrieve Logical Drive information from affected hosts, this includes information such as the drive type or free space available.

– Read, write or delete files and directories on the affected host.

– Download and upload files to and from the command and control (C2) servers.

– The ability to list, execute or terminate processes on affected hosts.

Vulnerability Detection

There is no vulnerability associated to this threat: this is due to the Nebulae backdoor being a second stage post-exploitation payload. However, the threat actors target and/or utilise the software listed below.

Affected Products

The following are known targets leveraged by the threat actors:

ARO 2012 Tutorial 8.0.12.0
VirusScan On-Demand Scan Task Properties (McAfee, Inc.)
Sandboxie COM Services (BITS) 3.55.06 (SANDBOXIE L.T.D)
Outlook Item Finder 11.0.5510 (Microsoft Corporation)
Mobile Popup Application 16.00 (Quick Heal Technologies (P) Ltd.)

Containment, Mitigations & Remediations

Application of all available updates to affected software versions when these become available.

Network monitoring should be employed to monitor for network traffic to known C2 servers.

Regular host-based anti-malware scanning with the latest signature updates should be undertaken, with alerts being monitored against files with the hash values of known IOCs.

If any of the IOC’s have been detected on a host then compromise should be assumed, and incident response initiated. The Nebulae backdoor is a second stage payload deployed by the threat actors post exploitation for the purposes of persistence.

Indicators of Compromise

Traffic communicating to the following C2 server IP addresses:

124.156.241.24
150.109.184.127
150.109.178.252
47.241.127.190

The presence of any of the below files with hash value:
71755f4cd827551d0cf3419d0afc548ffdc020d0b9359a71a1a2039d27d5a37d dwm.exe
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad VirusScan On-Demand Scan Task Properties
b7011dc545a20049efb67f0fbc37aff3cae226a38370dcb79513ba472ec712bb dll.exe (persistence installer for dot1.dll)
54738bb403a25b005bf145d4ed2a3719b0c4869360eb82776171c1b6d5ec0952 dot1.dll (Nebulae)
0c438622b62bf03a33e3e25d3ff1afea740111c2d90a2b9659eddd7a5021cd5d nta.dll (Nebulae)
2181fdf09d22e0b55db7e70914eec71ff98d55f0f4899a9f5ef9dba1f2ad9792 vsodscpl.dll (Nebulae)
ee9f11a530df4950981daea65dc029e05f76516d2ac9ce4541ccf89a44e26285 vsodscpl.dll (Nebulae)
c5c39979728f635b324dfcb7e32cbd6c4cc877ff4f9bd39113c7a2722f49d399 vsodscpl.dll (Nebulae)
592c36bc4117f150f8fce1b54d064eb14bd3236b3f729ba12750aed3bb6006b4 nta.dll (Nebulae)
bad4fba4b2863ddbf85aaabf1c77f60ea972dd2ea39d7b7963b862b0b4aacbb5 Nebulae
dc64e5497bbb2e128a821a382e1bd02a7057982913f2da673c4897c64ff5090c Nebulae
1df627dab5349caa21b7796747299cc00d5def8f1f9af2bfd93d61a74455151e Nebulae
6bce8eb669aa383397943579dd3432ea875227733b4430489fe985d326b5edb5 Nebulae
3b9629122f33d5f354026923fdd3e499f43b01054c3dc74224aa242a4dd397c1 Nebulae

Threat Landscape

The Naikon APT group primarily target high profile organisations, government departments and military organisations. As the Nebulae backdoor is one of the second stage payloads deployed by the threat actors, compromise should be assumed upon detection.

Mitre Framework Mapping

Execution:
Command and Scripting Interpreter (T1059)
Defense Evasion:
Hidden Files and Directories (T1564.001)
File and Directory Permissions Modification (T1222)
Hijack Execution Flow: DLL Side-Loading (T1574.002)
Indicator Removal on Host: File Deletion (T1070.004)
Masquerading:
Match Legitimate Name or Location (T1036.005)
Discovery:
System Information Discovery (T1082)
System Owner/User Discovery (T1033)
File and Directory Discovery (T1083)
Process Discovery (T1057)
Command and Control:
Data Obfuscation (T1001)

Exfiltration: Exfiltration Over C2 Channel (T1041)

Further Information

Bitdefender – New Nebulae Backdoor Linked with the NAIKON Group
Bitdefender Whitepaper: NAIKON – Traces from a Military Cyber-Espionage Operation
Security Affairs – Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs