The XsFunction tool is a backdoor Trojan that appears to be a part of the hacking arsenal of the Naikon APT (Advanced Persistent Threat). The Naikon hacking group likely originates from China and tends to target users and organizations in the South East Asian region. The Naikon APT first got on the radars of malware analysts back in 2015. In this campaign, the Naikon hacking group utilized the XsFunction backdoor Trojan to carry out reconnaissance operations. The Naikon hacking group remains active to this day, and their latest campaign involves a new tool called Aria-body backdoor. This hacking tool was used in operations that targeted government bodies located in Australia, Thailand, the Philippines, Vietnam and Brunei.
Despite the fact that the XsFunction threat was first spotted in 2015, this hacking tool is still used by the Naikon APT in their most recent campaigns. This is a very flexible threat that enables the attackers to execute 48 commands on the infected host. With this set of commands, the Naikon hacking group can gain full control of the targeted system easily. The XsFunction malware allows the attackers to:
- Execute remote commands.
- Manage the active processes and services.
- Control the file system.
- Upload files to the host.
- Download files from the host.
The key components of the latest campaign are that it seems to be focused on gelopolitical espionage against national governments in the Asia-Pacific region, including Australia, the Philippines, Thailand, Vietnam, and Indonesia. The new campaign also uses a new kind of backdoor attack, known as Aria-body. Aria-body launches "trusted" attacks using compromised computers against one another. The campaign also uses compromised computers as C&C servers to avoid detection. Researchers believe that Naikon never disappeared five years ago, instead believing they just got better at hiding and have been busy these past five years.
The research began when Check Point discovered the Australian government received a malicious email from the embassy of another APAC country. The email contained a weaponized RTF file created with the RoyalRoad exploit builder. The file dropped the virus loader intel.wll into the Word startup folder. That file then downloaded the payload for the next stage. This infection chain is similar to the Vicious Panda campaign, which also appears to come from China.
Researchers find XsFunction Threats to Mimic Foreign Governments
Check Point explains the group attacked one of their customers by posing as a foreign government. This incident brought Naikon to the attention of Check Point for the first time in five years. The researchers took a more in-depth look at the incident and discovered that Naikon was a sophisticated ATP out of China.
The research also discovered the attackers used two other infection chains. The first of these uses archive files with a legitimate executable file and malicious DLL designed for DLL hijacking. The second comes from an executable file that serves as a loader. Regardless of the infection method, the final payload is the Aria-body custom backdoor.
The loader looks like it was made specifically for the Aria-body RAT. The loader establishes persistence on the machine, injects itself into other processes, decrypts two blobs, uses a DGA algorithm when necessary, connects to C&C servers, retrieves the Aria-body DLL, decrypts it, and executes it.
The RAT functions much like other RATs, with different variants having some unique features. One update installed a reverse socks proxy and keylogger, while another added a loading extension module. The RAT collects a range of information about an infected computer, including; hostname, username, computer-name, domain name, processor, Windows version, Public IP, and whether the computer is 32-bit or 64-bit.
The data is packed into a password-protected ZIP file and send to the C&C server along with the password. The backdoor stays connected to the C&C server to await further commands.
There's more to suggest this new campaign is the work of Naikon than just the similarity of the targets. The campaign from 2015 used a RAT with 48 commands dubbed "XsFunction" by Check Point. Check Point Research discovered several similarities between the old XsFunction and the new Aria-body. Both RATS have the same debug strings and hashtag function, and other functions are the same between the two exploits. There is also an overlap in the infrastructure of the attacks, with four of the C&C servers having the same IP and domain as servers involved in the 2015 attacks.
Naikon seems to be a persistent group that has relatively gone unknown. A five-year campaign by the group was uncovered in 2015. It looks like another five-year campaign has been discovered now. These discoveries suggest that the group has been active for the past ten years at the very least. It also seems like the group has been quite busy during those five years of supposed inactivity. The group has continued to change their attack methods, develop new exploits and backdoors, and avoid detection and analysis by researchers.
Naikon appears to be driven by a desire to spy on other countries and gather intelligence. The group has been doing just that for the past five years, at the least, developing new tools and harnessing their skills to create new cybersecurity threats. The group used exploits attributed to other groups to mask their activity, and also hid behind their victims' servers.
It is interesting to think about how Naikon will react to being discovered again – will they disappear for another five years? Will they continue as they are? Will they actually disappear for good this time? For now, researchers can only keep an eye out for XsFunction and Aria-body.