Kaspersky report shows link between Naikon APT and Aria-body since 2018
May 2020 by Kaspersky
Back in 2015, governments, law enforcement and executive offices in the APAC region were targeted by an online group with the intention of accessing communications and sensitive information using malware and offensive activity.
On the 7th May 2020, cybersecurity company CheckPoint published a research report on the connection between Naikon and Aria-body, the two elements that made up the group. Whilst some thought this was the first time this connection has been made, a private report published in 2018 by Kaspersky, shows how its products have been detecting Aria-body since at least 2018.
For further information on the reports, please see below:
• On May 7, 2020 CheckPoint (CP) published a research on the connection between an active long-standing APT-threat actor Naikon, which mainly targets top-level targets and military organisations, and a tool called Aria-body with intrusive capabilities, which had been deployed against governments and state-owned companies in Australia and Southeast Asia. We would like to congratulate CP on their research and add to the conversation about this threat with our report on Securelist, where we share additional technical details on this threat.
• According to CheckPoint, nobody made the connection between Aria-body and Naikon before. However, Kaspersky released a private report in 2018, where we reported on Aria-body and linked it back to Naikon. Our public report dedicated to Naikon and published in 2015 overviewed tools that were being built at the time and modified into what later has become the Aria-body tool.
• Albeit our research on Aria-body was not public, Kaspersky products have been detecting Aria-body since at least 2018, with the following detection names:
Backdoor.Win32.Agent.m* and Trojan-Downloader.Win32.Agent.x*.