ATP30, also known as the Naikon group is one of the most active APT groups in Asia. Since 2010, it has launched spear phishing campaigns into organizations surrounding the South China Sea, intent on harvesting geo-political intelligence from civilian and military government organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, and China. The actors speak native Chinese. Based on the choice of targets, the operating language, and the sophistication of the toolkit, there is a distinct possibility that APT30 is a Chinese state sponsored threat group.
Spear phishing campaigns begin with a lure email relevant to the victim that carries a malicious Microsoft Word document, which, according to Kaspersky Lab, actually contains “a CVE-2012-0158 exploit, an executable with a double extension, or an executable with an RTLO filename”. One of its most prolific spear phishing campaigns was the March 2014 attacks targeting organizations from countries affected by the MH370 tragedy. Upon opening/ execution, the malicious payload, an 8kb encrypted file and configuration data, is injected into the browser memory where it decrypts the ports and paths to the C2C server, a user agent string, filenames and paths to relevant components, and hash sums of the user API functions. The malicious code downloads the main malware from the C2C server over an SSL connection and then it loads it independently of the operating system functions without saving it to the hard drive by assuming control of the XS02 function and then handling the installation in memory.
