Most Remarkable APT Incidents That Targeted Malaysia in 2021
Malaysia has rapidly integrated into the digital age with the rest of the world for the past few decades because of the exponential development of ICT infrastructure, and barely any citizen in Malaysia is unconnected to the cyber world. Organizations are evolving enormously reliant on accessible technologies such as mobile, Internet of Things (IoT), and similar systems dependent on this connectivity.
As a result, Malaysia has remained the target of various cyberattacks. Different threat groups like “BeagleBoyz” and “APT 40” have performed sophisticated attacks on Malaysia in the last five years. In this blog, we’ve covered the top APT attacks over 2021.
1. China-linked threat actors pose a severe threat to Malaysia
In the last year, Chinese threat actors targeted military and civilian associations in multiple Southeast Asian nations, especially those with similar territorial claims and strategic projects. Malaysia, Indonesia, and Vietnam were the top commonly targeted regions over the past year.
The threat actors concentrated on the headquarters of the Thai and Malaysian prime ministers, the foreign affairs ministries of Indonesia and Malaysia, and their militaries. Researchers identified more than 400 individual servers in Southeast Asia communicating with infected networks that were likely connected to Chinese APT groups.
While there is no understanding of the specific data that might have been seized, the group attributed much of the activity to an APT group from China named ‘Threat Activity Group 16’.
2. The Naikon APT (APT30) targeting Malaysian organizations
The Naikon, a China-linked advanced persistent threat group, created a unique backdoor called ‘RainyDay’ in numerous cyber-espionage activities aimed at the military forces of APAC countries. Organizations targeted by the hackers were in Malaysia and various countries around the South China Sea, including Singapore, Indonesia, Thailand, and the Philippines.
The RainyDay enables the operators to execute reconnaissance on the infected devices, run various tools aiming to steal passwords, open and view files, perform a lateral movement, and accomplish persistence in the network.
The exact execution approach and the use of admin.src files are operated by the Cycldek APT (Aka Conimes, Goblin Panda) to deploy their RAT named FoundCore. Similarly, the shellcode utilized for various payload attributes suggests a tight connection between the two malware classes and a potential overlap in activity between the two APIs.
Also, in the latest attacks, a second new backdoor was created dubbed ‘Nebulae,’ attempting to mimic legitimate software to avoid detection. The backdoor Nebulae can harvest drive information, manage directories, start and terminate processes, and download and execute files from C&C (command and control) server.
3. Long-running campaigns like FunnyDream
There has also been a long-running attack campaign by ‘FunnyDream APT,’ a Chinese state-sponsored hacker group. The threat actors have successfully infected more than 200 systems of different governments from APAC since 2018. The focus of FunnyDream is extorting important documents from compromised hosts, concentrating primarily on data about industrial espionage and national security.
FunnyDream, with its continuous espionage attacks, deploys a combination of three malware variants: a RAT named PCShare, the backdoor Chinoxy, and a backdoor leveraged by FunnyDream. These strains individually have distributed C2 (command-and-control) servers for evading detection.
They are used for different objectives: espionage, installing backdoors, exfiltrating documents, and achieving persistence within infected systems. The group targets foreign governmental organizations of Southeast Asian countries.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.