More than 200 systems infected by new Chinese APT 'FunnyDream'

silversurfer

Level 70
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,984
A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.

The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.

Both Bitdefender and Kaspersky said the group is still active even today and appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,723
It is interesting that even such sophisticated attacks often use very simple persistence methods in the end, like startup folder, scheduled task, or Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run . :unsure:
These persistence methods were used by Chinoxy and FunnyDream backdoors. The Chinoxy backdoor used another malware PcShareDropper which had its own (stealthier) persistence mechanism via hijacking MRUPIDLList COM object exported by shell32.dll.
So, the existence of the infection can be easy discovered on a single machine via routine inspection. But, it is usually hard to do it in a network that contains many machines.

I wonder how many infections/breaches could be neutralized in enterprises by simple restriction which limits (whitelisting) the entries in startup folders, task scheduler, and Run Registry keys.
 
Last edited:
F

ForgottenSeer 89360

It is interesting that even such sophisticated attacks often use very simple persistence methods in the end, like startup folder, scheduled task, or Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run . :unsure:
These persistence methods were used by Chinoxy and FunnyDream backdoors. The Chinoxy backdoor used another malware PcShareDropper which had its own (stealthier) persistence mechanism via hijacking MRUPIDLList COM object exported by shell32.dll.
So, the existence of the infection can be easy discovered on a single machine via routine inspection. But, it is usually hard to do it in a network that contains many machines.

I wonder how many infections/breaches could be neutralized in enterprises by simple restriction which limits (whitelisting) the entries in startup folders, task scheduler, and Run Registry keys.
I guess they’ve spent time checking what products don’t remove and they rely on that.

When I test removal capabilities , I usually do a scheduled task, a registry entry where you’ve mentioned and a service in registry, usually named Core Modules Install Worker. Most of the products will remove the scheduled task (Bitdefender, Windows Defender, Avast). Almost all of them remove the registry entry in “Run” or “Run Once”, but only Windows Defender and Avast remove the service. I normally do the test twice. First time I download a malicious *.exe and register it in the locations I mentioned. Second test is with PowerShell code. The most thorough in removal on my tests is Windows Defender.
I haven’t tried how well they will clean a heavily-infected machine though. I’ve seen sophisticated malware maintaining presence just by dropping a shortcut in the Startup folder 😀

P.S. For networks containing many machines we usually use EDR/XDR and that makes our life a lot easier, unless when they generate noise 😫. Solutions such as McAfee Threat Intelligence Exchange also allow us to eradicate malware quickly, but many organisations don’t use those.
 
Last edited by a moderator:
Top