The Aria-body malware is believed to be a threat developed by an experienced Chinese APT (Advanced Persistent Threat) dubbed Naikon. The hacking group in question has likely been active for over a decade now, as they were first spotted back in 2010. The Aria-body threat is classified as a backdoor Trojan, and the APT responsible for it has updated it several times so far. According to malware researchers, the Aria-body threat has been deployed against specific targets in the Australian government. The targeted users received spear-phishing emails that contained the corrupted payload of the Aria-body Trojan. In 2019 the Filipino Department of Science and Technology was targeted with a very similar spear-phishing campaign by the same Chinese APT.
The authors of the Aria-body malware appear to target government organizations and officials, mainly. However, it is likely that there are plenty of victims of the Aria-body backdoor Trojan, which have not yet been identified by cybersecurity analysts. The Aria-body threat appears to be propagated by well-designed emails that contain corrupted attachments, whose goal is to exploit known vulnerabilities in the Microsoft Office service.
Once the Aria-body backdoor Trojan has infiltrated a targeted host, it would allow the attackers to:
- Take screenshots of the desktop and active windows of the user.
- Gather and exfiltrate data regarding the hardware and software of the infected system.
- Collect files from connected USB flash drives.
- Plant additional corrupted payloads.
- Monitor the running processes and services.
- Manage, delete, move, create files and folders.
- Search for certain filetypes and filenames.
- Launch a keylogger that exfiltrates the collected keystrokes to the C&C (Command & Control) server of the attackers.
- Launch a reverse proxy service.
A Rarity Among Malware
The group behind Aria-Body is Naikon APT (Advanced Persistent Threat). Naikon is a Chinese-speaking hacking group that was first brought to the attention of the public in 2015. Some of the tools used by the group, such as Rarstone, had been seen long before 2015, however.
A report released in September 2015 by Defense Group and Threat Connect connected the group with Unit 78020 of the Chinese army and also exposed a member of the group.
Naikon vanished from the public eye after this exposure, but security researchers with Check Point discovered the group had been continuing their actions behind the scenes. Naikon used procedures and techniques that kept them hidden from the public view.
The group seems to be still focused on the Asia Pacific area. It has targeted ministries of foreign affairs, science, and technology in several countries, including Australia, Vietnam, the Philippines, Indonesia, Myanmar, and Thailand. The group has also targeted government-owned companies.
Security experts say Naikon is a motivated and sophisticated Chinese hacking group that has been practicing their skills and creating new malware – such as the Aria-Body backdoor – over the past five years.
The group picked up speed in late 2019 and early 2020, using exploits associated with other groups and victims servers as the command and control (C2) servers.
How Does Naikon Operate?
Check Point recently published research showing that Aria-Body was delivered to the Australian government in the form of an email sent from an embassy in the Asia Pacific region. The sender was likely hacked to exploit their relationship with the target.
The email in question included a malicious Word document called "The Indians Way" encoded to download malware. The malware would download the payload from an external source and install it on the target computer. The weaponized document appeared to have been created with the RoyalRoad exploit builder.
Naikon also sues archives that contain legitimate executable files, such as an Avast proxy or old installation of Outlook, that install a malicious DLL on the side to retrieve and install the payload. They also have a malware dropper for more direct attacks.
Naikon planted the Aria-body backdoor on computers at the Philippines Department of Science and Technology earlier this year. The payload was sent from an IP within the country and was built with two command and control (C2) servers. One of the servers worked as a backup, and the IP associated with it belongs to a website owned by the Philippines government that is currently not working.
Aria-Body appears to follow a three-stage delivery chain;
- Crafting a document and email that looks like legitimate government communication with information the target is interested in – the information is based on public information or proprietary data stolen from another compromised system.
- Weaponizing the document so that it downloads Aria-Body to gain access to the target's network
- Conduct the attack using the victim’s own servers and launch new attacks through the now compromised system
Recovery from Aria-Body
Security experts say Aria-body is a sophisticated backdoor that can locate and collect documents from a compromised system or network.
The first stage of infection sees the malware run reconnaissance on the machine. It gathers information on the target computer, including the Windows version, the network, CPU, architecture, and the public IP address.
The malware can then search for specific files by name, suggesting Naikon infect targets knowing what they are looking for. It can also obtain data from any removable drives attached to the computer. The backdoor can also log keystrokes and take screenshots as needed.
Researchers say that some variations of the malware were compiled back in 2018 while the loaders associated with it were spotted the year before.
The Aria-Body backdoor downloader establishes persistence on an infected system, injects itself in another running process, grabs the backdoor from the C2 server, and runs it on the compromised host.