Naikon’s Aria | Securelist – 10 minute mail

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.

The Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully described the group as a long running presence in the APAC region. Even when the group shutdown much of their successful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching malware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage campaigns in the South China Sea region during 2018.

“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February 2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader components without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules used in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction feature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues into 2018. We identified at least a half dozen individual variants from 2017 and 2018.

Technical Details

It seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors were built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted organizations, again lending confidence to clustering these resources and activity with previous “Naikon”.

Naikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a system. AR load attempts have been identified within processes with executable images listed here:

  • c:windowssystem32svchost.exe
  • c:windowssyswow64svchost.exe
  • c:program fileswindows ntaccessoriesservices.exe
  • c:usersdellappdataroamingmicrosoftwindowsstart menuprogramsstartupacrobat.exe
  • c:alphazawgyisvchost.exe

Because this AR code is injected into processes, the yara rule provided in the Appendix is best run against memory dumps of processes maintaining a main image in the list above. The AR modules have additionally been seen in some others, including “msiexec.exe” processes.

Below are characteristics of the oldest AR and the newest known AR component in our collection.

MD5 c766e55c48a4b2e7f83bfb8b6004fc51
SHA256 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4
CompiledOn Tue Jan  3 09:23:48 2017
Type PE32 DLL
Internal name TCPx86.dll
Size 176kb
Exports AzManager, DebugAzManager
MD5 2ce4d68a120d76e703298f27073e1682
SHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db
CompiledOn Thu Feb 22 10:04:02 2018
Type PE32 DLL
Internal Name aria-body-dllX86.dll
Size 204kb
Exports AzManager, DebugAzManager

When the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive check, a CONNECT proxied callback to its main C2, an IP location verification against checkip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include more or less system information collection prior to the initial callback.

The most recent version of the backdoor utilizes another Window procedure to implement a raw input device based keystroke collector. This keylogger functionality was newly introduced to the malware code in February 2018, and was not present in previous versions.

The approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set per compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple summary list:

  • Persistence handling
  • File and directory handling
  • Keylogging
  • Shell/Process Management
  • Network activity and status listing and management
  • System information collection and management
  • Download management
  • Windows management
  • Extension management
  • Location/IP verification
  • Network Communications over HTTP

Similarities to past Naikon components

Naikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not only is some of the functionality only lightly modified, but the same misspellings in error logging remains in their codebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.

It’s clear that the underlying codebase continues to be deployed:

e09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15

c766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48

Kudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.

For reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details have been and are available to our threat intel customers (please, contact [email protected]).

Indicators of compromise

AR aria-body dll

Loaders and related Naikon malware

Verdicts – 2018 and Later

YARA Rules

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Corporate security prediction 2020 | Securelist – 10 minute mail

Moving to the cloud

The popularity of cloud services is growing, and threat actors are here to exploit the trend.

We are observing more and more cases where our customers’ infrastructure is partially or entirely located in the cloud – cloud migration has been the dominant trend of the past couple of years. This is resulting in a blurring of infrastructure boundaries. In 2020, we expect the following trends to emerge.

It will become more difficult for attackers to separate the resources of the targeted company from those of cloud providers. At the same time, it will be much more difficult for companies to detect an attack on their resources in the initial stages.

The transition to the cloud has blurred the boundaries of company infrastructures. As a result, it is becoming very difficult to target an organization’s resources in a precise manner. So, conducting an attack will become harder and the actions of threat actors will become more sophisticated or more frequent – relying on chance rather than planning. On the other hand, it will also be difficult for a company to identify targeted attacks at an early stage and separate them from the overall mass of attacks on the ISP.

Investigating incidents will become more complex and in some cases less effective.

Those who plan to deploy cloud infrastructure in 2020 need to talk in advance with their provider about a communications plan in the event of an incident, because time is of the essence when it comes to security incidents. It’s very important to discuss what data is logged, and how to back it up. Lack of clarity on such information can lead to complications or even make successful incident investigation impossible. We note, however, that awareness of cloud infrastructure security is not growing as fast as the the popularity of cloud services, so we expect to see an increase in the complexities of investigating incidents as well as a decrease in the effectiveness of incident response.

It’s also worth noting that when companies pass on their data to a cloud provider for storage or processing, they also need to consider whether the provider possesses the necessary level of cybersecurity. Even then, it is hard to be absolutely certain that the services they are paying for are really secure, as it requires a level of expertise in information security that not all technical officers possess.

Criminals will migrate to the cloud and forge ahead.

The increase in the availability of cloud services will allow not just companies but also attackers to deploy infrastructure in the cloud. This will reduce the complexity of an attack and, consequently, will increase their number and frequency. This could potentially affect the reputation of the cloud services themselves, as their resources will be used in large-scale malicious activity. To avoid this, providers will have to consider reviewing their security procedures and change their service policies and infrastructure.

Insiders threat

The good news is that we are observing an increase in the overall level of security of businesses and organizations. In this regard, direct attacks on infrastructure (for example, penetrating the external perimeter through the exploitation of vulnerabilities) is becoming much more expensive, requiring more and more skills and time for the attacker. As a result, we predict:

Growth in the number of attacks using social engineering methods.

In particular, this means phishing attacks on company employees. As the human factor remains a weak link in security, the focus on social engineering will increase as other types of attacks become more difficult to carry out.

Growth of the insider market.

Due to the increasing cost of other attack vectors, attackers will be willing to offer large amounts of money to insiders. The price for insiders varies from region to region and depends on the target’s position in the company, the company itself, its local rating, the type and complexity of insider service that is requested, the type of data that is exfiltrated and the level of security at the company.

There is a number of ways such insiders can be recruited:

  • By simply posting an offer on forums and offering a reward for certain information.
  • The attackers may disguise their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity. For example, the potential victims may be offered a simple job on the side to provide information, while being reassured that the data is not sensitive, though it may in fact relate to the amount of funds in a bank client’s personal account or the phone number of an intended target.
  • Blackmailing. We also expect to see increased demand for the services of groups engaged in corporate cyber-blackmail and, as a consequence, an increase in their activity.

Cyber-blackmailing groups that collect compromising info on company employees (e.g. evidence of crimes, personal records and personal data such as sexual preferences) for the purpose of blackmail will become more active too in the corporate sector. Usually this happens in the following way: the threat actors take a pool of leaked emails and passwords, find those that are of interest to them and exfiltrate compromising data that is later used for blackmail or cyberespionage. The stronger the cultural specifics and regional regulations, the faster and more effective the attackers’ leverage is. As a result, attacks on users in order to obtain compromising data are predicted to increase.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.