2021-04-28 New Nebulae Backdoor Linked with the NAIKON Group| Threat Intelligence Malaysia

📃Title: New Nebulae Backdoor Linked with the NAIKON Group
📅Date: 2021-04-28
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🟡 Somewhat Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: targeted
MY-relevancy: somewhat-relevant

🔖MISP Galaxies:

producer Bitdefender
threat-actor Naikon
region=“035 - South-eastern Asia”
target-information=“Indonesia”
target-information=“Malaysia”
target-information=“Philippines”
target-information=“Singapore”
target-information=“Thailand”
malpedia=“Nebulae”
malpedia=“Aria-body”
mitre-attack-pattern=[‘T1020’, ‘T1003.005’, ‘T1059’, ‘T1574.002’, ‘T1001’, ‘T1074’, ‘T1005’, ‘T1025’, ‘T1078.002’, ‘T1041’, ‘T1567’, ‘T1070.004’, ‘T1083’, ‘T1222’, ‘T1564.001’, ‘T1570’, ‘T1074.001’, ‘T1036.004’, ‘T1036’, ‘T1036.005’, ‘T1112’, ‘T1046’, ‘T1095’, ‘T1003’, ‘T1027’, ‘T1057’, ‘T1055’, ‘T1572’, ‘T1547.001’, ‘T1018’, ‘T1021.002’, ‘T1053’, ‘T1113’, ‘T1003.002’, ‘T1569.002’, ‘T1082’, ‘T1016’, ‘T1049’, ‘T1033’, ‘T1007’, ‘T1078’, ‘T1071.001’, ‘T1047’, ‘T1543.003’]

MISP event uuid: fdfd2565-97d0-428a-9c6d-8a5c928ca6eb

Indicator of Compromise (IoCs)

type,value,comment
sha256, 2c4af3fa3918b715b3a0b3e5232196089b7ffcb2406ea01f5243ab5e04ecb2c8, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 268426b01ac967c470b16ddcb3125fc7c234861c6e33e8b330400fbd3b403e4c, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 3f8a9a7776a56bbb7dc4bffd5f1549ec64e9170c97a622e1b59199dd3c620e82, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 608d2beebb5b6bfc23bcbfb2e12a73fd0b8ae707136a163d747115dc384d0875, 'No sample in VT\r\nLast check:09/05/2025'
sha256, 71755f4cd827551d0cf3419d0afc548ffdc020d0b9359a71a1a2039d27d5a37d, 'No sample in VT\r\nLast check:09/05/2025'
sha256, b7011dc545a20049efb67f0fbc37aff3cae226a38370dcb79513ba472ec712bb, 'dll.exe (persistence intaller for dot1.dll) No sample in VT\r\nLast check:09/05/2025'
sha256, 3b9629122f33d5f354026923fdd3e499f43b01054c3dc74224aa242a4dd397c1, 'Nebulae No sample in VT\r\nLast check:09/05/2025'
sha256, 99d4467c2637962a698dfb20be4b1167876132746ff106004bb4249646b428a6, 'No sample in VT\r\nLast check:09/05/2025'
sha256, abb48990eaabd5203c35bd26a0bb51e81e8eb2532d22d22fb2a6566bbda4c6a4, 'winlogin.exe (boost_proxy_client) No sample in VT\r\nLast check:09/05/2025'
sha256, 56085b27e7145bb2cfbf2d33fba30359d1429b507e3b9251cfdced50bba1f07f, 'winlogin.exe (boost_proxy_client) No sample in VT\r\nLast check:09/05/2025'
sha256, 4d5ca91ced0f0bd8be137f6d7fae907ebca07c46ac0eda49428fc96d0674aad6, 'scupdate.exe(RcSocks) No sample in VT\r\nLast check:09/05/2025'
sha256, dd01e3703e728d8afc58eaaad15bbd184b137dd7ad738c009acc50004a438624, 'winsrvc.exe(RcSocks) No sample in VT\r\nLast check:09/05/2025'
sha256, e27878becab770fbbebfd9f10d4eb6ee1a109a2f1987335762b654fadb1caf7d, 'wusa64.exe(LAdonGo) No sample in VT\r\nLast check:09/05/2025'
sha256, 68c6b06225368def17b3189ee441c319c00dcac3bb574ea036a3aabeaa6c3bbf, 'Aria-Body loader No sample in VT\r\nLast check:09/05/2025'
hostname, rose.twifwkeyh.com, ''
domain, guinnbandesh.com, ''
hostname, php.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, news.dgwktifrn.com, 'RainyDay C&C server'
hostname, mail.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, java.tripadvisorsapp.com, 'RainyDay C&C server'
hostname, osde.twifwkeyh.com, 'RainyDay C&C server'
hostname, aloha.fekeigawy.com, 'RainyDay C&C server'
hostname, www.wahatmrjn.com, 'RainyDay C&C server'
ip-dst, 124.156.241.24, 'Nebulae C&C servers'
ip-dst, 150.109.184.127, 'Nebulae C&C servers'
ip-dst, 150.109.178.252, 'Nebulae C&C servers'
ip-dst, 47.241.127.190, 'Nebulae C&C servers'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2021-04-28 New Nebulae Backdoor Linked with the NAIKON Group

Indicator of Compromise (IoCs)

Graph View