Cluster25, a global cyber threat intelligence, and adversary tracking team, has published a whitepaper regarding the Override Panda APT, which is also known as Naikon. According to Cluster25, Naikon was first tracked in 2010; more than 10 years ago. The group targets the ASEAN members’ government agencies and military organizations, especially science/technology-related ones and foreign affairs.
Two payloads, one file
In recent weeks, the group seems to be awake again. They are using a spear-phishing email to deliver a beacon of Viper, a Red Team framework. It comes with an e-mail including a file in the Chinese language. This file contains two different payloads that are hidden as document properties.
Those files are then written under %Temp%\rad543C7.tmp.ini and %Temp%\rad543C7.tmp.exe files. The rad543C7.tmp.exe file is already known as HexINI; an executable acting like a loader for a shellcode. As the shellcode in the rad543C7.tmp.ini file is executed, it creates a suspended svchost.exe process to inject the final beacon.
The group utilizes open-source tools such as Viper and ARL (Asset Reconnaissance Lighthouse). Viper is a graphical penetration tool and ARL helps discover existing weak points and attack surfaces.