Researchers: ‘FunnyDream’ Targeted Over 200 Entities in Southeast Asia
Most of the infrastructure is located in Hong Kong, except for three servers: one in Vietnam, one in China and one in South Korea. (Source: Bitdefender)
A recently identified Chinese hacking group dubbed “FunnyDream” has targeted more than 200 government entities in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign, according to research from security firm Bitdefender.
The FunnyDream campaign has been active since 2018 and mainly targets organizations to conduct reconnaissance, gather data and documents and then exfiltrate the information, according to Bitdefender. The research notes that many of the command-and-control servers associated with this campaign are currently inactive, although some remain operational.
Based on the group’s use of malware previously linked to other Chinese advanced persistent threat groups and the concentration of the targets around Southeast Asia, Bitdefender notes FunnyDream is likely part of Chinese-state sponsored espionage activities intended to further the country’s geopolitical interests.
“Attack artifacts shows signs of a Chinese APT group that we believe to be state-sponsored,” Michael Rosen, a researcher with Bitdefender, notes in the report. “Geopolitical tensions in the region are always present, and information exfiltrated by an APT campaign can yield commercial and military advantages to various adversaries and could compromise government actors should embarrassing political or personal information be revealed.”
The Bitdefender report further notes it has detected malware infrastructure used by this particular group in Hong Kong, South Korea and Vietnam. Previously, researchers at Kaspersky also found traces of malware and other malicious tools associated with FunnyDream used in campaigns that targeted organizations in Malaysia, Taiwan, the Philippines and Vietnam.
Bitdefender reports the FunnyDream threat actor became active in late 2018 and has targeted more than 200 victims since that time. In the attacks analyzed by the Bitdefender researchers, the hackers mainly use a combination of three malware variants called Chinoxy, PCShare and FunnyDream, which are then utilized for spying capabilities, backdoors and persistence within devices and networks and document collection. The last malware variant is where the analysts derived the group’s name.
The report also notes that the hacking group uses distributed command-and-control servers for each of the backdoors to help evade detection.
“The distributed [command-and-control] infrastructure primarily controls the three backdoors,” Rosen says. “Having [command-and-control] infrastructure in the same region as the likely attack targets tends to draw less suspicion to the IP traffic than remote communications from outside the region.”
In addition to the backdoors, FunnyDream also has on hand other malicious tools such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on the victims’ systems, the report notes.
Once the attackers infect the victim’s device, FunnyDream proceeds to compromise the domain controllers within the victim’s network for lateral movement. The attackers then attempt to gain control over numerous devices within that victim’s network.
The report, however, did not say how these initial attacks against targeted networks began, such as whether the hackers used phishing emails as part of the initial compromise or took advantage of vulnerabilities in applications or devices.
Links To China
Bitdefender notes FunnyDream could be a Chinese state-sponsored entity based on its use of Chinese language binaries, and the Chinoxy backdoor – a remote access Trojan known to have been used by Chinese-speaking threat actors during previous campaigns.
Chinoxy, which other security researchers have linked to another Chinese APT group called “Roaming Tiger,” has been active since 2014 and targeted defence organizations, critical infrastructure and universities throughout eastern Asia.
In March, independent security researcher Sebdraven – who has been tracking Chinoxy’s activities – noted the malware was being spread as malicious documents in a COVID-19- themed phishing campaign.