Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering

Cyber Security Threat Summary:
“The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of ‘basic machine enumeration and command execution via PowerShell or Goroutines.’ What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers” (The Hacker News, 2023).

According to Checkpoint, TinyNote backdoor is being distributed with names related to foreign affairs matters (e.g PDF_ Contacts List Of Invitated Deplomatic Members and Note_Documents_No.14-Tokyo-__From___Embassy___of___Russia ) and likely targets Southeast and East Asian embassies. A notable feature of the backdoor is that it is capable of bypassing SmadAV, an Indonesian antivirus tool used in Southeast Asian countries including Myanmar and Indonesia.

“At the beginning of its execution, the malware starts a function called bypassSMADAV, whose purpose is to bypass the Indonesian antivirus Smadav. The developers of the antivirus position their solution as a “second-layer antivirus” with “active users mostly from Indonesia, and other users mostly come from Southeast Asia and Africa Countries”. The existence of the code that handles this specific antivirus once again confirms the focused targeting of Camaro Dragon campaigns and their knowledge of their victims’ environments and solutions,” stated researchers in a recent blog post.

Security Officer Comments:
TinyNote was found on the Camaro Dragon distribution server. After conducting an investigation, researchers were able to connect the infrastructure back to another threat actor, Mustang Panda, a Chinese state-sponsored group that has been active since 2012. According to CheckPoint, the server (103[.]159[.]132[.]91 where the malware sample was found acts as a C&C server for the backdoor and was also observed being used as a delivery service for one of Mustang Panda’s backdoor during the same time period.

“The victimology and lures are consistent with the latest Camaro Dragon campaigns, including the activity associated with the MQsTTang backdoor. In addition, the actors also keep using a “folder” icon and a specific naming convention for some of their backdoors seen since early 2023, noted researchers at CheckPoint.

Suggested Correction(s):
With phishing lures being the main infection vector for this group, users should adhere to the following recommendations:

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately
Link(s):
https://thehackernews.com/2023/06/camaro-dragon-strikes-with-new-tinynote.html
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/