1. Home
  2. Campaigns
  3. FunnyDream

FunnyDream

FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]

ID: C0007
First Seen:  July 2018 [2]
Last Seen:  November 2020 [1]
Version: 1.0
Created: 20 September 2022
Last Modified: 10 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During FunnyDream, the threat actors used wmiexec.vbs to run remote commands.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script.[1]
.005 命令与脚本解释器: Visual Basic

During FunnyDream, the threat actors used a Visual Basic script to run remote commands.[1]
Enterprise T1585 .002 建立账户: Email Accounts

For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.[1]
Enterprise T1082 系统信息发现

During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.[1]
Enterprise T1049 系统网络连接发现

During FunnyDream, the threat actors used netstat to discover network connections on remote systems.[1]
Enterprise T1016 系统网络配置发现

During FunnyDream, the threat actors used ipconfig for discovery on remote systems.[1]
Enterprise T1583 .001 获取基础设施: Domains

For FunnyDream, the threat actors registered a variety of domains.[1]
Enterprise T1588 .001 获取能力: Malware

For FunnyDream, the threat actors used a new backdoor named FunnyDream.[1]

.002 获取能力: Tool

For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.[1]
Enterprise T1105 输入工具传输

During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.[1]

Enterprise T1057 进程发现

During FunnyDream, the threat actors used Tasklist on targeted systems.[1]
Enterprise T1018 远程系统发现

During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks.[1]

Software

ID Name Description
S1043 ccf32

During FunnyDream, ccf32 was used to collect data.[1]
S1041 Chinoxy

During FunnyDream, Chinoxy was used to gain persistence and deploy other malware components.[1]
S1044 FunnyDream

During the FunnyDream campaign, the FunnyDream backdoor was used to execute multiple components and exfiltrate files.[1]
S0100 ipconfig

[1]
S0104 netstat

[1]
S1050 PcShare

During FunnyDream the threat actors used a customized version of PcShare.[1]
S0096 Systeminfo

[1]
S0057 Tasklist

[1]

References

  1. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  2. Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.
  1. Insikt Group. (2021, December 8). Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia. Retrieved September 19, 2022.