Naikon

Naikon is a threat group that has focused on targets around the South China Sea.[1] The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020).[2] While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]

ID: G0019
Version: 1.1
Created: 31 May 2017
Last Modified: 03 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[4]

Enterprise T1137 .006 Office Application Startup: Add-ins

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Naikon has used malicious e-mail attachments to deliver malware.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[1]

Enterprise T1016 System Network Configuration Discovery

Naikon uses commands such as netsh interface show to discover network interface settings.[1]

Enterprise T1204 .002 User Execution: Malicious File

Naikon has convinced victims to open malicious attachments to execute malware.[4]

Software

ID Name References Techniques
S0456 Aria-body

[4]

Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0095 FTP

[1]

Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
S0061 HDoor

[1]

Impair Defenses: Disable or Modify Tools, Network Service Scanning
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh

[1]

Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0097 Ping

[1]

Remote System Discovery
S0029 PsExec

[1]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0055 RARSTONE

[1][2]

File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Injection: Dynamic-link Library Injection
S0058 SslMM

[1][2]

Access Token Manipulation, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Fallback Channels, Impair Defenses: Disable or Modify Tools, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, System Information Discovery, System Owner/User Discovery
S0060 Sys10

[1]

Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Permission Groups Discovery: Local Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096 Systeminfo

[1]

System Information Discovery
S0057 Tasklist

[1]

Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0059 WinMM

[1][2]

Application Layer Protocol: Web Protocols, Fallback Channels, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery

References