The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.
The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.
Both Bitdefender and Kaspersky said the group is still active even today and appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.
Similar attacks dating back to 2018
Per Bitdefender, most of these attacks have followed a simple pattern and combined three malware payloads — Chinoxy, PCShare, and FunnyDream (malware after which the group was named).
Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.
PCShare, a known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.
FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.
"Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities," Liviu Arsene, Global Cybersecurity Researcher at Bitdefender, told ZDNet.
"We've seen government infrastructure compromise and years-old persistence, custom exfiltration tools, and the use of living-off-the-land tools, all of which point to an espionage campaign, potentially politically motivated," Arsene added.
"Considering that Southeastern Asia has been under a lot of economic and trade issues related to shifting supply chains from China to Southeast Asia, as well as escalating US-China tariffs, this effort might be part of potential Chinese APT campaigns targeting South Eastern government institutions for potential espionage, aimed at figuring out how governments within the region plan to navigate these shifts.
"Some countries within the region have even gone through recent elections and governance changes, all of which could merit interest from potential Chinese APT groups in terms of how local regimes could align ideologically and politically to China's interests," the Bitdefender researcher told ZDNet.
The world's most famous and dangerous APT (state-developed) malware