One of the most active Cyberespionage groups in Asia, Naikon has launched a number of attacks in Asia and instigated what is being called the APT Wars. The group decided to hit out at another threat actor.
Kaspersky Labs researchers revealed that one of Naikon’s targets, Hellsing, had spotted the attempt to infect its system with a spear-phishing email carrying a malicious attachment. Although Kaspersky considered the group as “technically unremarkable”, nonthless, it accepted the e-mail carrying malicious attachment with displeasures. As the group questioned its authencity and was left dissatisfied, Hellsing then sent back the phishing campaign comprising Naikon’s own malware.
The group first emailed the sender back, requesting for identification of the email and where it was sent from. As the attacker was familiar with the internal structure of the target’s government agency so it answered that they worked for the secretarial division of the government and it was mandated to send the email by management.
As explained by Kaspersky, the following email was sent to the attacker by the target:
“The attachment is a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers.”
The payload of the spear-phishing email was a custom backdoor which is adequate to downloading and uploading files, updating and uninstalling by themselves. It appears from the counterattack method that Hellsing was keen to gather surveillance data on its attacker.
Hellsing is very selective in terms of the type of organisations targeted, attempting to infect mostly government and diplomatic entities. Kaspersky said it has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US.
The company stated that the threat has been active since 2012, and by installing the malware, victims are likely to exposed their systems to a custom backdoor with upload and download capabilities.