Chinese Hacking Group Suspected of Far-Reaching CampaignResearchers: 'FunnyDream' Targeted Over 200 Entities in Southeast Asia
A recently identified Chinese hacking group dubbed "FunnyDream" has targeted more than 200 government entities in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign, according to research from security firm Bitdefender.
See Also: The Anatomy of the Solarwinds Attack
The FunnyDream campaign, active since 2018, mainly targets organizations to conduct reconnaissance, gather data and documents and then exfiltrate the information, according to Bitdefender. The researchers note that many of the command-and-control servers associated with this campaign are inactive, although some remain operational.
Based on the group's use of malware previously linked to other Chinese advanced persistent threat groups and the concentration of the targets around Southeast Asia, Bitdefender notes FunnyDream is likely part of Chinese-state sponsored espionage activities intended to further the country's geopolitical interests.
"Attack artifacts shows signs of a Chinese APT group that we believe to be state-sponsored," Michael Rosen, a researcher with Bitdefender, notes in the report. "Geopolitical tensions in the region are always present, and information exfiltrated by an APT campaign can yield commercial and military advantages to various adversaries and could compromise government actors should embarrassing political or personal information be revealed."
The Bitdefender report further notes it has detected malware infrastructure used by this particular group in Hong Kong, South Korea and Vietnam. Previously, researchers at Kaspersky also found traces of malware and other malicious tools associated with FunnyDream used in campaigns that targeted organizations in Malaysia, Taiwan, the Philippines and Vietnam.
Bitdefender reports the FunnyDream threat actor became active in late 2018 and has targeted more than 200 victims since then. In the attacks analyzed by the Bitdefender researchers, the hackers mainly use a combination of three malware variants: Chinoxy, PCShare and FunnyDream, which are then utilized for spying capabilities, backdoors, to achieve persistence within devices and networks and document collection.
The report also notes that the hacking group uses distributed command-and-control servers for each of the backdoors to help evade detection.
"The distributed [command-and-control] infrastructure primarily controls the three backdoors," Rosen says. "Having [command-and-control] infrastructure in the same region as the likely attack targets tends to draw less suspicion to the IP traffic than remote communications from outside the region."
FunnyDream also has on hand other malicious tools, such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on the victims’ systems, the report notes.
Once the attackers infect a victim's device, FunnyDream proceeds to compromise the domain controllers within the victim’s network for lateral movement. The attackers then attempt to gain control over numerous devices within that victim's network.
The report, however, did not say how these initial attacks against targeted networks began, such as whether the hackers used phishing emails as part of the initial compromise or took advantage of vulnerabilities in applications or devices.
Links To China
Bitdefender notes FunnyDream could be a Chinese state-sponsored entity based on its use of Chinese language binaries and the Chinoxy backdoor - a remote access Trojan known to have been used by Chinese-speaking threat actors during previous campaigns.
Chinoxy, which other security researchers have linked to another Chinese APT group called "Roaming Tiger," has been active since 2014 and targeted defense organizations, critical infrastructure and universities throughout eastern Asia.
In March, independent security researcher Sebdraven - who has been tracking Chinoxy's activities - noted the malware was being spread as malicious documents in a COVID-19 themed phishing campaign.