1. Home
  2. Software
  3. FunnyDream

FunnyDream

FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[1]

ID: S1044
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 September 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FunnyDream can use WMI to open a Windows command shell on a remote machine.[1]
Enterprise T1025 从可移动介质获取数据

The FunnyDream FilePakMonitor component has the ability to collect files from removable devices.[1]
Enterprise T1005 从本地系统获取数据

FunnyDream can upload files from victims' machines.[1][2]
Enterprise T1090 代理

FunnyDream can identify and use configured proxies in a compromised network for C2 communication.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

FunnyDream has used a service named WSearch for execution.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

FunnyDream has established persistence by running sc.exe and by setting the WSearch service to run automatically.[1]
Enterprise T1572 协议隧道

FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

FunnyDream can use cmd.exe for execution on remote hosts.[1]
Enterprise T1120 外围设备发现

The FunnyDream FilepakMonitor component can detect removable drive insertion.[1]
Enterprise T1113 屏幕捕获

The FunnyDream ScreenCap component can take screenshots on a compromised host.[1]
Enterprise T1010 应用窗口发现

FunnyDream has the ability to discover application windows via execution of EnumWindows.[1]
Enterprise T1560 .002 归档收集数据: Archive via Library

FunnyDream has compressed collected files with zLib.[1]
.003 归档收集数据: Archive via Custom Method

FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or qwerasdf if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

FunnyDream can stage collected information including screen captures and logged keystrokes locally.[1]
Enterprise T1001 数据混淆

FunnyDream can send compressed and obfuscated packets to C2.[1]
Enterprise T1083 文件和目录发现

FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.[1]
Enterprise T1106 本机API

FunnyDream can use Native API for defense evasion, discovery, and collection.[1]
Enterprise T1012 查询注册表

FunnyDream can check Software\Microsoft\Windows\CurrentVersion\Internet Settings to extract the ProxyServer string.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

FunnyDream can Base64 encode its C2 address stored in a template binary with the xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- orxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets.[1]
Enterprise T1070 移除指标

FunnyDream has the ability to clean traces of malware deployment.[1]
.004 File Deletion

FunnyDream can delete files including its dropper component.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

FunnyDream can use rundll32 for execution of its components.[1]
Enterprise T1082 系统信息发现

FunnyDream can enumerate all logical drives on a targeted machine.[1]
Enterprise T1033 系统所有者/用户发现

FunnyDream has the ability to gather user information from the targeted system using whoami/upn&whoami/fqdn&whoami/logonid&whoami/all.[1]
Enterprise T1124 系统时间发现

FunnyDream can check system time to help determine when changes were made to specified files.[1]
Enterprise T1016 系统网络配置发现

FunnyDream can parse the ProxyServer string in the Registry to discover http proxies.[1]
Enterprise T1119 自动化收集

FunnyDream can monitor files for changes and automatically collect them.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

FunnyDream can identify the processes for Bkav antivirus.[1]
Enterprise T1105 输入工具传输

FunnyDream can download additional files onto a compromised host.[1]
Enterprise T1056 .001 输入捕获: Keylogging

The FunnyDream Keyrecord component can capture keystrokes.[1]
Enterprise T1057 进程发现

FunnyDream has the ability to discover processes, including Bka.exe and BkavUtil.exe.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread APIs to load the DLL component.[1]
Enterprise T1559 .001 进程间通信: Component Object Model

FunnyDream can use com objects identified with CLSID_ShellLink(IShellLink and IPersistFile) and WScript.Shell(RegWrite method) to enable persistence mechanisms.[1]
Enterprise T1018 远程系统发现

FunnyDream can collect information about hosts on the victim network.[2]
Enterprise T1041 通过C2信道渗出

FunnyDream can execute commands, including gathering user information, and send the results to C2.[1]
Enterprise T1095 非应用层协议

FunnyDream can communicate with C2 over TCP and UDP.[1]

Campaigns

ID Name Description
C0007 FunnyDream

During the FunnyDream campaign, the FunnyDream backdoor was used to execute multiple components and exfiltrate files.[1]

References

  1. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  1. Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.