Chinese APT Backdoor Bypasses Indonesian AntivirusTinyNote Creates a 'You Can't See It But It's There' Open Window
A Chinese espionage threat group is using a novel backdoor to bypass a popular Indonesian antivirus. Security researchers say targets include European embassies located in Southeast and East Asia.
Check Point said in research published Thursday that it had found a distribution server used by the threat actor protected by basic HTTP Authorization with a known password. Among the tools on the server - most already known, including HRSWord, made by Beijing-based Huorong Network Technology - researchers found a backdoor they dubbed TinyNote.
TinyNote is a "basic remote shell, limited in capabilities." It lets attackers set up persistence and execute commands from a command-and-control server. What's interesting about it, Check Point researchers said, is how it bypasses a security check by Smadav, an Indonesian antivirus tool popular in Southeast Asian countries including its home country and Malaysia.
The bypass is an indication of "the focused targeting of Camaro Dragon campaigns and their knowledge of their victims' environments and solutions."
As Check Point researchers explain it, each time a new process starts, Smadav checks to see if the process opens a visible window on the desktop. It treats processes with no windows as suspect and suggests that users may want to block them. TinyNote gets around that by opening a window - that is not visible to users. The backdoor opens a tool window that Microsoft Windows doesn't display in the taskbar or in the set of windows when a user presses Alt + Tab. TinyNote also sets the window width and height to zero and skips a call to the windows class function
RegisterClass by using a default class name.
"Ultimately, creating this window allows the threat actors to bypass the check, as the newly created window is technically visible, and continue the backdoor execution uninterrupted," the researchers wrote.
TinyNote is not the first instance of the threat actor exploiting Smadav for its ends. Swedish nonprofit Qurium in 2021 associated Mustang Panda with an attack - against Malaysian lawmakers who had been prevented by the military from taking seats in the Parliament - that used a Trojanized version of Smadav.
TinyNote file names Check Point found on the barely protected server and in the wild use terms connected with foreign affairs, such as "PDF_ Contacts List Of Invited Deplomatic Members." The naming conversion is similar to how Mustang Panda named another backdoor malware dubbed MQsTTang and discovered by Eset in March.