Home Malware Programs Backdoors Aria-body

Aria-body

Posted: May 8, 2020

Aria-body is a backdoor Trojan that helps attackers monitor and control infected PCs, as well as collect information covertly. Government entities in Southeast Asia are at high risk of infections, which may compromise PCs with sophisticated, document-based phishing lures and the collected identities of well-known contacts. Users should depend on reliable anti-malware services for deleting Aria-body or the Trojan downloaders often related to its installation.

Chinese Hackers Taking Cover While Maintaining Their Aggression

As in real warfare, cyber-warfare carries with it a need for understanding when to engage defensively or offensively, or carry out a balance of the two postures. In many cases, it may seem like a threat actor is retiring from 'the business' of sending Trojans out to their victims, when the reality is that they're conducting their attacks with a more defensive mindset, merely. Aria-body, a backdoor Trojan from the Naikon APT, plays a significant role in showing that change in strategy inside 2020's threat landscape.

While the Naikon APT (a group previously linked to China's military) was revealed to the world in full by Kaspersky in 2015, the hackers went 'dark' after the publicity seemingly. Despite the quiet, they were revamping their operations with new techniques, infrastructure, and tools for evading cyber-security tools drastically. Aria-body, for example, dates to either 2017 or the year after that. This backdoor Trojan's infection methods are semi-flexible, ranging from DLL side-loading through a RAR-enclosed executable to a download from a separate Trojan dropped from a corrupted RTF document.

Aria-body provides the Naikon APT with long-term control over the victim's PC, as with any other backdoor Trojan. Besides that, some of the non-standard features specific to Aria-body include:

  • Injecting itself into various memory processes, with or without UAC bypassing
  • Taking screenshots
  • Recording keyboard strokes
  • Loading additional components as extensions
  • Running a reverse socks proxy (absent in some versions)
  • Collecting USB device files (also frequently absent)
  • Creating and writing to new files
  • Finding files by name
  • Removing itself

The C&C server infrastructure's emphasis on using resources 'acquired' from victims, along with the DLL side-loading, injection, and other techniques, is why Aria-body remained operational for years without cyber-security companies identifying it.

Halting Foreign Intrusion on a Network

Campaigns deploying the Aria-body backdoor Trojan are anticipated for Southeast Asian nations near-exclusively, such as the Philippines, Indonesia and Australia. Similarly, the Naikon APT also prefers specific demographics besides geographical: government-owned and operated entities. Their infection strategies tailor to the expectations of these targets carefully, with public or collected documents that are 'Trojanized' via tools like the RoyalRoad (an exploit builder that's popular with various threat actors).

Users should protect their PCs by scanning all downloads (such as documents), installing updates for workplace software like Microsoft Office, and using strong passwords. The presence of exploits inside of corrupted files is somewhat correctible by software patches, but users always should account for the possibility of a zero-day attack. Disabling macros and abiding by network guidelines like the principle of least privilege also can improve a theoretical target's safety.

Custom builds of Aria-body are regular occurrences for new targets, and there's little to no chance of identifying the Trojan by casual observation. Workers can protect their systems with compatible anti-malware products for flagging and deleting Aria-body, the Trojan downloader, and other threats as necessary.

Aria-body is a tool that takes a seemingly-small crack in one computer security and widens it into something that lets the Naikon APT use and abuses it at their pleasure. Government employees without any interest in becoming the inadvertent hosts of a Command & Control server should take care to look at every incoming file carefully, even if it's supposedly from someone 'safe.'

Loading...