2021-04-28 New Nebulae Backdoor Linked with the NAIKON Group

📃Title: New Nebulae Backdoor Linked with the NAIKON Group
📅Date: 2021-04-28
🔗References:

• https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/
• https://www.bitdefender.com/en-us/blog/labs/new-nebulae-backdoor-linked-with-the-naikon-group
• https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf
• https://databreaches.net/2021/04/30/cyberspies-target-military-organizations-with-new-nebulae-backdoor/

🔖Rectifyq Taxonomies:

• relevancy: 🟡 Somewhat Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: somewhat-relevant

🔖MISP Galaxies:

• producer= Bitdefender
• threat-actor= Naikon
• region=“035 - South-eastern Asia”
• target-information=“Indonesia”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Singapore”
• target-information=“Thailand”
• malpedia=“Nebulae”
• malpedia=“Aria-body”
• mitre-attack-pattern=[‘T1020’, ‘T1003.005’, ‘T1059’, ‘T1574.002’, ‘T1001’, ‘T1074’, ‘T1005’, ‘T1025’, ‘T1078.002’, ‘T1041’, ‘T1567’, ‘T1070.004’, ‘T1083’, ‘T1222’, ‘T1564.001’, ‘T1570’, ‘T1074.001’, ‘T1036.004’, ‘T1036’, ‘T1036.005’, ‘T1112’, ‘T1046’, ‘T1095’, ‘T1003’, ‘T1027’, ‘T1057’, ‘T1055’, ‘T1572’, ‘T1547.001’, ‘T1018’, ‘T1021.002’, ‘T1053’, ‘T1113’, ‘T1003.002’, ‘T1569.002’, ‘T1082’, ‘T1016’, ‘T1049’, ‘T1033’, ‘T1007’, ‘T1078’, ‘T1071.001’, ‘T1047’, ‘T1543.003’]

MISP event uuid: fdfd2565-97d0-428a-9c6d-8a5c928ca6eb

Indicator of Compromise (IoCs)

type,value,comment
md5, 97e49353a25c3f1d81a6139735697940, ''
md5, 0a63cef6ed6439dd3b3ed80e1daa0e30, ''
md5, 9f1d6b2d45f1173215439bcc4b00b6e3, ''
md5, 46718ac832e64ae277e35f90da278eee, 'RainyDay memdump'
md5, 12a0cef605c5a1cabe328325da7f4b72, ''
md5, b77d42820fae65cb32b9431c2e7b70e2, ''
md5, adc46432477545ce4826415ef19190a5, ''
md5, 7a043d49f69f480e63384d85b28840f9, ''
md5, 5a4a8b1a86b665d8798de80133362f46, ''
md5, 59974929887caa1cb5e4ff102fb2efd5, 'rdmin.rsc loader'
md5, b5bdaba69689e8be57ce78bb6845e4f0, 'VirusScan On-Demand Scan Task Properties'
md5, efb196c8cb68cb518d85d41036c73fae, 'dot1.dll (Nebulae)'
md5, 41a7f4b78d4f7f358542c4ef2a2d9dbb, 'nta.dll(Nebulae)'
md5, d672194165a7b978e19ecde87bb4b373, 'vsodscpl.dll(Nebulae)'
md5, 1dc557a0f7b93b1b534724c10d065538, 'vsodscpl.dll(Nebulae)'
md5, 79daad3062d4b428cbdf2df4bc4a793c, 'vsodscpl.dll(Nebulae)'
md5, 0ad47c87a9e6041033946c525816dd58, 'nta.dll(Nebulae)'
md5, 3c5fbf2133c710020b29f0371747bdd7, 'Nebulae'
md5, 1d73c276056df6d88b7958e513942e56, 'Nebulae'
md5, b1a6fc744dc340e216c16811524cd510, 'Nebulae'
md5, bdc955175878e25b4d7ebaff906c89fe, 'Nebulae'
md5, f70b295c6a5121b918682310ce0c2165, ''
md5, 9070f7100fa2f41c2c0757b34e0a401c, ''
md5, dc3ce0d803e1117531540ee30172b486, 'sfk.exe - swissfileknife'
md5, 91a7862304bba1ef4123d10b56b1a4c1, 'p8.exe - QuarksPwDump'
md5, a61d1724e03bc2d75cc52115b64e1bb1, ''
md5, 44f96457adeb95afd3f5457082d44538, ''
md5, f01a9a2d1e31332ed36c1a4d2839f412, 'NetBios scanner'
md5, 754a201f853985b0c1c5a96d4637966d, 'logs.exe(HecINI loader)'
md5, d98e9e685460eb427b459e281845d62e, 'winsrv.exe(downloader)'
md5, 119f5b486fd3a6f0e95b541874465836, 'Aria-Body loader'
md5, 367d119cd1aef0d1d2704b462682a731, 'Aria-Body loader'
md5, 64ff0a8730472e36e62ce29a20f61529, 'ARO 2012 Tutorial - 8.0.12.0'
sha256, 2c4af3fa3918b715b3a0b3e5232196089b7ffcb2406ea01f5243ab5e04ecb2c8, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 268426b01ac967c470b16ddcb3125fc7c234861c6e33e8b330400fbd3b403e4c, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 3f8a9a7776a56bbb7dc4bffd5f1549ec64e9170c97a622e1b59199dd3c620e82, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 608d2beebb5b6bfc23bcbfb2e12a73fd0b8ae707136a163d747115dc384d0875, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 71755f4cd827551d0cf3419d0afc548ffdc020d0b9359a71a1a2039d27d5a37d, 'No sample in VT\r\nLast check:09/05/2025'
sha256, b7011dc545a20049efb67f0fbc37aff3cae226a38370dcb79513ba472ec712bb, 'dll.exe (persistence intaller for dot1.dll) No sample in VT\r\nLast check:09/05/2025'
sha256, 3b9629122f33d5f354026923fdd3e499f43b01054c3dc74224aa242a4dd397c1, 'Nebulae No sample in VT\r\nLast check:09/05/2025'
sha256, 99d4467c2637962a698dfb20be4b1167876132746ff106004bb4249646b428a6, 'No sample in VT\r\nLast check:09/05/2025'
sha256, abb48990eaabd5203c35bd26a0bb51e81e8eb2532d22d22fb2a6566bbda4c6a4, 'winlogin.exe (boost_proxy_client) No sample in VT\r\nLast check:09/05/2025'
sha256, 56085b27e7145bb2cfbf2d33fba30359d1429b507e3b9251cfdced50bba1f07f, 'winlogin.exe (boost_proxy_client) No sample in VT\r\nLast check:09/05/2025'
sha256, 4d5ca91ced0f0bd8be137f6d7fae907ebca07c46ac0eda49428fc96d0674aad6, 'scupdate.exe(RcSocks) No sample in VT\r\nLast check:09/05/2025'
sha256, dd01e3703e728d8afc58eaaad15bbd184b137dd7ad738c009acc50004a438624, 'winsrvc.exe(RcSocks) No sample in VT\r\nLast check:09/05/2025'
sha256, e27878becab770fbbebfd9f10d4eb6ee1a109a2f1987335762b654fadb1caf7d, 'wusa64.exe(LAdonGo) No sample in VT\r\nLast check:09/05/2025'
sha256, 68c6b06225368def17b3189ee441c319c00dcac3bb574ea036a3aabeaa6c3bbf, 'Aria-Body loader No sample in VT\r\nLast check:09/05/2025'
hostname, rose.twifwkeyh.com, ''
domain, guinnbandesh.com, ''
hostname, php.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, news.dgwktifrn.com, 'RainyDay C&C server'
hostname, mail.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, java.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, osde.twifwkeyh.com, 'RainyDay C&C server'
hostname, aloha.fekeigawy.com, 'RainyDay C&C server'
hostname, www.wahatmrjn.com, 'RainyDay C&C server'
ip-dst, 124.156.241.24, 'Nebulae C&C servers'
ip-dst, 150.109.184.127, 'Nebulae C&C servers'
ip-dst, 150.109.178.252, 'Nebulae C&C servers'
ip-dst, 47.241.127.190, 'Nebulae C&C servers'

Full IOCs available in Rectifyq’s MISP