C0007 FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.312
| Item | Value |
|---|---|
| ID | C0007 |
| Associated Names | |
| First Seen | July 2018 |
| Last Seen | November 2020 |
| Version | 1.0 |
| Created | 20 September 2022 |
| Last Modified | 10 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | For FunnyDream, the threat actors registered a variety of domains.3 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script.3 |
| enterprise | T1059.005 | Visual Basic | During FunnyDream, the threat actors used a Visual Basic script to run remote commands.3 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.002 | Email Accounts | For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.3 |
| enterprise | T1105 | Ingress Tool Transfer | During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.3 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.001 | Malware | For FunnyDream, the threat actors used a new backdoor named FunnyDream.3 |
| enterprise | T1588.002 | Tool | For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.3 |
| enterprise | T1057 | Process Discovery | During FunnyDream, the threat actors used Tasklist on targeted systems.3 |
| enterprise | T1018 | Remote System Discovery | During FunnyDream, the threat actors used several tools and batch files to map victims’ internal networks.3 |
| enterprise | T1082 | System Information Discovery | During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.3 |
| enterprise | T1016 | System Network Configuration Discovery | During FunnyDream, the threat actors used ipconfig for discovery on remote systems.3 |
| enterprise | T1049 | System Network Connections Discovery | During FunnyDream, the threat actors used netstat to discover network connections on remote systems.3 |
| enterprise | T1047 | Windows Management Instrumentation | During FunnyDream, the threat actors used wmiexec.vbs to run remote commands.3 |
Software
| ID | Name | Description |
|---|---|---|
| S1043 | ccf32 | During FunnyDream, ccf32 was used to collect data.3 |
References
-
Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022. ↩
-
Insikt Group. (2021, December 8). Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia. Retrieved September 19, 2022. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩