Dreaming a Little FunnyDream

Is it funny? Is it a dream? No. It’s a cyberespionage campaign and is very much real and scary.

The scoop

Bitdefender researchers discovered a Chinese APT group stealthily attack Southeast Asian governments. Although much of the C&C servers were found to be offline, the operations are still functional. The cyberespionage group dubbed FunnyDream has already impacted more than 200 systems across the region over the past couple of years. The analyzed attacks were identified to have three malware payloads - FunnyDream, Chinoxy, and PcShare.

Malware toolset

  • Chinoxy dropper uses the Logitech Bluetooth Wizard Host Process to evade detection and abuse a side-loading attack to load the backdoor dll into the memory.
  • PcShare is a Chinese RAT used to accumulate intelligence from affected hosts.
  • FunnyDream, a custom-made backdoor, is used for intelligence gathering and data exfiltration. This powerful backdoor supports advanced persistence and communication functionalities.

Chinese APT groups soaring high

  • Cicada, also known as APT10, has been making home in the networks of organizations functioning in the pharma, automotive, and engineering sectors by exploiting the Microsoft Zerologon vulnerability. The campaign is found to be launched against several Japanese companies, with subsidiaries across 17 regions worldwide.
  • Another China-based APT group was found sending spear-phishing emails distributing an intelligence-collecting RAT, known as Sepulchre. This never-seen-before RAT has been targeting European officials and Tibetan dissidents.

The bottom line

The malware sports various capabilities such as capturing files, taking snapshots, entering internal networks, logging keystrokes, and bypassing network limits. The earliest indication of the attack dates back to 2018, with increased activity witnessed since early-2019. The backdoor used by the threat actors is way too complex and thus, experts suggest organizations to stay wary and secure.