GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Groups
  3. Naikon

Naikon

Naikon is a threat group that has focused on targets around the South China Sea.[1] The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020).[2] While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]

ID: G0019
Version: 1.1
Created: 31 May 2017
Last Modified: 03 July 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[4]
Enterprise T1137 .006 Office Application Startup: Add-ins

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Naikon has used malicious e-mail attachments to deliver malware.[4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[1]
Enterprise T1016 System Network Configuration Discovery

Naikon uses commands such as netsh interface show to discover network interface settings.[1]
Enterprise T1204 .002 User Execution: Malicious File

Naikon has convinced victims to open malicious attachments to execute malware.[4]

Software

ID Name References Techniques
S0456 Aria-body [4] Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0095 FTP [1] Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
S0061 HDoor [1] Impair Defenses: Disable or Modify Tools, Network Service Scanning
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [1] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0097 Ping [1] Remote System Discovery
S0029 PsExec [1] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0055 RARSTONE [1][2] File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Injection: Dynamic-link Library Injection
S0058 SslMM [1][2] Access Token Manipulation, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Fallback Channels, Impair Defenses: Disable or Modify Tools, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, System Information Discovery, System Owner/User Discovery
S0060 Sys10 [1] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Permission Groups Discovery: Local Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096 Systeminfo [1] System Information Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0059 WinMM [1][2] Application Layer Protocol: Web Protocols, Fallback Channels, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery

References

  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  2. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.
  1. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.
  2. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.