FunnyDream

FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]

ID: C0007
First Seen:  July 2018 [2]
Last Seen:  November 2020 [1]
Version: 1.0
Created: 20 September 2022
Last Modified: 10 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For FunnyDream, the threat actors registered a variety of domains.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script.[1]

.005 Command and Scripting Interpreter: Visual Basic

During FunnyDream, the threat actors used a Visual Basic script to run remote commands.[1]

Enterprise T1585 .002 Establish Accounts: Email Accounts

For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.[1]

Enterprise T1105 Ingress Tool Transfer

During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

For FunnyDream, the threat actors used a new backdoor named FunnyDream.[1]

.002 Obtain Capabilities: Tool

For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.[1]

Enterprise T1057 Process Discovery

During FunnyDream, the threat actors used Tasklist on targeted systems.[1]

Enterprise T1018 Remote System Discovery

During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks.[1]

Enterprise T1082 System Information Discovery

During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.[1]

Enterprise T1016 System Network Configuration Discovery

During FunnyDream, the threat actors used ipconfig for discovery on remote systems.[1]

Enterprise T1049 System Network Connections Discovery

During FunnyDream, the threat actors used netstat to discover network connections on remote systems.[1]

Enterprise T1047 Windows Management Instrumentation

During FunnyDream, the threat actors used wmiexec.vbs to run remote commands.[1]

Software

ID Name Description
S1043 ccf32

During FunnyDream, ccf32 was used to collect data.[1]

S1041 Chinoxy

During FunnyDream, Chinoxy was used to gain persistence and deploy other malware components.[1]

S1044 FunnyDream

During the FunnyDream campaign, the FunnyDream backdoor was used to execute multiple components and exfiltrate files.[1]

S0100 ipconfig

[1]

S0104 netstat

[1]

S1050 PcShare

During FunnyDream the threat actors used a customized version of PcShare.[1]

S0096 Systeminfo

[1]

S0057 Tasklist

[1]

References