Most Remarkable APT Incidents That Targeted Malaysia in 2021

Malaysia has rapidly integrated into the digital age with the rest of the world for the past few decades because of the exponential development of ICT infrastructure, and barely any citizen in Malaysia is unconnected to the cyber world. Organizations are evolving enormously reliant on accessible technologies such as mobile, Internet of Things (IoT), and similar systems dependent on this connectivity.

As a result, Malaysia has remained the target of various cyberattacks. Different threat groups like “BeagleBoyz” and “APT 40” have performed sophisticated attacks on Malaysia in the last five years. In this blog, we’ve covered the top APT attacks over 2021.

1. China-linked threat actors pose a severe threat to Malaysia

Vietnam, Indonesia, and Malaysia were the most targeted by APT groups in the region.

In the last year, Chinese threat actors targeted military and civilian associations in multiple Southeast Asian nations, especially those with similar territorial claims and strategic projects. Malaysia, Indonesia, and Vietnam were the top commonly targeted regions over the past year.

The threat actors concentrated on the headquarters of the Thai and Malaysian prime ministers, the foreign affairs ministries of Indonesia and Malaysia, and their militaries. Researchers identified more than 400 individual servers in Southeast Asia communicating with infected networks that were likely connected to Chinese APT groups.

While there is no understanding of the specific data that might have been seized, the group attributed much of the activity to an APT group from China named ‘Threat Activity Group 16’.

2. The Naikon APT (APT30) targeting Malaysian organizations

In addition to Naikon, Goblin Panda also conducted active campaigns in Malaysia.

The Naikon, a China-linked advanced persistent threat group, created a unique backdoor called ‘RainyDay’ in numerous cyber-espionage activities aimed at the military forces of APAC countries. Organizations targeted by the hackers were in Malaysia and various countries around the South China Sea, including Singapore, Indonesia, Thailand, and the Philippines.

The RainyDay enables the operators to execute reconnaissance on the infected devices, run various tools aiming to steal passwords, open and view files, perform a lateral movement, and accomplish persistence in the network.

The exact execution approach and the use of admin.src files are operated by the Cycldek APT (Aka Conimes, Goblin Panda) to deploy their RAT named FoundCore. Similarly, the shellcode utilized for various payload attributes suggests a tight connection between the two malware classes and a potential overlap in activity between the two APIs.

Also, in the latest attacks, a second new backdoor was created dubbed ‘Nebulae,’ attempting to mimic legitimate software to avoid detection. The backdoor Nebulae can harvest drive information, manage directories, start and terminate processes, and download and execute files from C&C (command and control) server.

3. Long-running campaigns like FunnyDream

FunnyDream focused on gaining data on industrial espionage and national security.

There has also been a long-running attack campaign by ‘FunnyDream APT,’ a Chinese state-sponsored hacker group. The threat actors have successfully infected more than 200 systems of different governments from APAC since 2018. The focus of FunnyDream is extorting important documents from compromised hosts, concentrating primarily on data about industrial espionage and national security.

FunnyDream, with its continuous espionage attacks, deploys a combination of three malware variants: a RAT named PCShare, the backdoor Chinoxy, and a backdoor leveraged by FunnyDream. These strains individually have distributed C2 (command-and-control) servers for evading detection.

They are used for different objectives: espionage, installing backdoors, exfiltrating documents, and achieving persistence within infected systems. The group targets foreign governmental organizations of Southeast Asian countries.