Posted: May 8, 2020

Aria-body Description

Aria-body is a backdoor Trojan that helps attackers monitor and control infected PCs, as well as collect information covertly. Government entities in Southeast Asia are at high risk of infections, which may compromise PCs with sophisticated, document-based phishing lures and the collected identities of well-known contacts. Users should depend on reliable anti-malware services for deleting Aria-body or the Trojan downloaders often related to its installation.

Chinese Hackers Taking Cover While Maintaining Their Aggression

As in real warfare, cyber-warfare carries with it a need for understanding when to engage defensively or offensively, or carry out a balance of the two postures. In many cases, it may seem like a threat actor is retiring from 'the business' of sending Trojans out to their victims, when the reality is that they're conducting their attacks with a more defensive mindset, merely. Aria-body, a backdoor Trojan from the Naikon APT, plays a significant role in showing that change in strategy inside 2020's threat landscape.

While the Naikon APT (a group previously linked to China's military) was revealed to the world in full by Kaspersky in 2015, the hackers went 'dark' after the publicity seemingly. Despite the quiet, they were revamping their operations with new techniques, infrastructure, and tools for evading cyber-security tools drastically. Aria-body, for example, dates to either 2017 or the year after that. This backdoor Trojan's infection methods are semi-flexible, ranging from DLL side-loading through a RAR-enclosed executable to a download from a separate Trojan dropped from a corrupted RTF document.

Aria-body provides the Naikon APT with long-term control over the victim's PC, as with any other backdoor Trojan. Besides that, some of the non-standard features specific to Aria-body include:

  • Injecting itself into various memory processes, with or without UAC bypassing
  • Taking screenshots
  • Recording keyboard strokes
  • Loading additional components as extensions
  • Running a reverse socks proxy (absent in some versions)
  • Collecting USB device files (also frequently absent)
  • Creating and writing to new files
  • Finding files by name
  • Removing itself

The C&C server infrastructure's emphasis on using resources 'acquired' from victims, along with the DLL side-loading, injection, and other techniques, is why Aria-body remained operational for years without cyber-security companies identifying it.

Halting Foreign Intrusion on a Network

Campaigns deploying the Aria-body backdoor Trojan are anticipated for Southeast Asian nations near-exclusively, such as the Philippines, Indonesia and Australia. Similarly, the Naikon APT also prefers specific demographics besides geographical: government-owned and operated entities. Their infection strategies tailor to the expectations of these targets carefully, with public or collected documents that are 'Trojanized' via tools like the RoyalRoad (an exploit builder that's popular with various threat actors).

Users should protect their PCs by scanning all downloads (such as documents), installing updates for workplace software like Microsoft Office, and using strong passwords. The presence of exploits inside of corrupted files is somewhat correctible by software patches, but users always should account for the possibility of a zero-day attack. Disabling macros and abiding by network guidelines like the principle of least privilege also can improve a theoretical target's safety.

Custom builds of Aria-body are regular occurrences for new targets, and there's little to no chance of identifying the Trojan by casual observation. Workers can protect their systems with compatible anti-malware products for flagging and deleting Aria-body, the Trojan downloader, and other threats as necessary.

Aria-body is a tool that takes a seemingly-small crack in one computer security and widens it into something that lets the Naikon APT use and abuses it at their pleasure. Government employees without any interest in becoming the inadvertent hosts of a Command & Control server should take care to look at every incoming file carefully, even if it's supposedly from someone 'safe.'

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Aria-body may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.