Trend Micro experts have analyzed the campaign they call Naikon
Experts have identified a cybercriminal campaign, dubbed Naikon, that targets communications, oil, government, media and other types of organizations from Asia.The cybercriminals rely on the RARSTONE Remote Access Tool (RAT), which is similar to PlugX, to take complete control of their targets’ computers.
Trend Micro reports that the attackers send out spear-phishing emails that purport to contain documents related to diplomatic discussions in the Asia-Pacific region.
When the documents attached to the emails are opened, a vulnerability in Windows common control is exploited, and RARSTONE is pushed onto the victim’s computer. In the meantime, a bait document is displayed to avoid raising suspicion.
Once it finds itself on a device, a backdoor component is downloaded from a command and control (C&C) server directly to the memory. This allows the threat to go undetected by classic file-based scanning technologies.
Unlike other RATs, RARSTONE checks the Uninstall Registry Key and uses it to find out what applications are installed on the computer. The programs that interfere with its functions are removed.
In addition, C&C communications are done via SSL to protect the connection and to make sure malicious traffic blends in with legitimate traffic.
The individuals behind the Naikon campaign, named so because of the “NOKIAN95/WEB” user agent string that’s been identified in the attacks, want to ensure their infrastructure is difficult to analyze. They use dynamic DNS domains or registrars that have privacy protections.
“Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities,” Maharlito Aquino, Trend Micro Threats analyst, explained.
“Traditional technologies like blacklisting and perimeter controls are not enough to detect or block the components of these campaigns. Instead, enterprises need to increase their visibility and control over their networks in order to identify dubious network traffic.”