In recent months, the notorious hacker group Camaro Dragon has intensified its cyber espionage activities. The group has specifically targeted European foreign affairs organizations with links to Southeast and East Asia.
With suspected affiliations to Chinese state-sponsored threat actors like Mustang Panda, Camaro Dragon has been involved in a widespread network of espionage operations.
In a recent report, ESET researchers unveiled the inner workings of Chinese state-sponsored threat actors. These hacker groups are reportedly leveraging malicious TP-Link router firmware known as Horse Shell.
Notably, within this landscape of threat actors, the notorious Camaro Dragon group has emerged, now connected to a backdoor called TinyNote. Here is a quick look at the threat actor’s campaigns and use of TinyNote in their operation.
Camaro Dragon and TinyNote’s functionality and targets
During an investigation, an unprecedented Go-based backdoor named TinyNote was found on a distribution server associated with the notorious Camaro Dragon hacker collective.
Intriguingly, subsequent analysis of malware samples from various sources revealed multiple instances of this insidious code, all engaged in communication with command and control (C&C) servers directly affiliated with the Camaro Dragon group.
Moreover, the TinyNote backdoor has honed its sights on high-value targets, specifically directing its activities towards embassies and institutions dedicated to foreign affairs situated in the regions of Southeast and East Asia.
While TinyNote serves as a first-stage malware with basic capabilities for machine enumeration and command execution using PowerShell or Goroutines, its primary focus is to establish redundancy within compromised systems.
This involves setting up multiple persistence tasks, communicating with various C&C servers, and executing various commands received from the C&C infrastructure.
Evading SmadAV antivirus
An intriguing aspect of the TinyNote backdoor is its ability to bypass SmadAV, an antivirus software widely used in Southeast Asian countries like Myanmar and Indonesia.
The malicious actors have analyzed the inner workings of smadAV and found a way to bypass its checks. They achieved this by creating a window without a name, but with the class name “EDIT,” which is one of the default window class names.
This window is designed with specific attributes: a large X position, width and height set to 0, and flags like WS_EX_TOOLWINDOW, which categorize it as a tool window. These attributes trick the IsWindowVisible function into identifying the window as visible, even though it remains hidden from the user and does not appear in the taskbar or when using the ALT+TAB shortcut.
Backdoor execution flow
TinyNote operates in two primary modes: persistence, PowerShell backdoor, installation, and the backdoor itself. In the first mode, the malware establishes persistence by creating scheduled tasks to retrieve and execute PowerShell commands from various C&C servers.
The payload returned by the C&C server is a lightweight PowerShell backdoor that executes a list of commands, concatenates the outputs, and sends them back via a POST request.
Once persistence is achieved, the malware enters the second mode and operates from a “zip” path. It collects system data, encrypts it using a simple XOR algorithm, encodes it with Base64, and transmits it to one of the random C&C URLs available.
Several strong connections between the Camaro Dragon hacker group and the TinyNote backdoor solidify their association.
The same C&C server that hosts one version of the TinyNote backdoor was also discovered to serve the MQsTTang backdoor during the same period.
Another C&C server consistently used by the threat actors further strengthens this connection. The victimology, lures, and naming conventions employed by the hackers align with previous Camaro Dragon campaigns.
The analysis of the TinyNote backdoor provides insights into Camaro Dragon’s highly targeted approach and extensive research before infiltrating their intended victims’ systems.
Although the backdoor is not technologically advanced, it employs various tactics to establish a foothold in compromised systems, such as using Golang, lightweight functionality, and bypassing specific antivirus software commonly found on potential targets.
Using TinyNote and other tools of varying technical complexity suggests that the threat actors are actively diversifying their attack arsenal.
The activities of Camaro Dragon serve as a reminder of the evolving and persistent nature of cyber espionage, highlighting the critical need for robust cybersecurity measures and proactive threat intelligence to defend against such sophisticated threats.