A sophisticated cyberespionage campaign targeting governmental entities in Southeast Asia and Japan has unveiled a new China-aligned threat actor dubbed LongNosedGoblin.
Active since at least September 2023, this advanced persistent threat (APT) group distinguishes itself by leveraging a diverse toolset of custom C#/.NET malware families.
Their operations primarily focus on intelligence gathering, employing stealthy techniques to infiltrate sensitive networks and maintain long-term access without detection.
The group’s most notable tactic involves the abuse of Windows Group Policy for lateral movement and malware deployment.
By compromising the Active Directory infrastructure, attackers distribute malicious payloads across networked machines, effectively bypassing traditional perimeter defenses.
This method allows them to propagate tools like NosyHistorian, which harvests browser history to identify high-value targets for further exploitation of critical assets.
Welivesecurity analysts identified the malware in early 2024 within a Southeast Asian government network, where multiple machines were compromised simultaneously via Group Policy updates.
Investigations revealed that the attackers disguised their malware as legitimate policy files, such as History.ini or Registry.pol, to blend into the Group Policy cache directories.
This strategic camouflage highlights the group’s emphasis on evasion and persistence within compromised environments.
NosyDoor Execution Mechanism
The group’s primary backdoor, NosyDoor, exemplifies their reliance on living-off-the-land techniques and cloud-based command and control infrastructure.
.webp "China-Aligned APT Hackers Exploit Windows Group Policy to Deploy Malware 3")
The malware operates through a complex three-stage execution chain. NosyDoor execution chain, designed to evade detection by standard security products.
The infection begins with a dropper component that decrypts embedded payloads using the Data Encryption Standard (DES) with the key UevAppMo.
This dropper utilizes execution guardrails. Dropper code with execution guardrails, to ensure the malware only detonates on specific victim machines.
.webp "China-Aligned APT Hackers Exploit Windows Group Policy to Deploy Malware 4")
Once validated, it establishes persistence by creating a scheduled task that executes a legitimate Windows binary, UevAppMonitor.exe, which the malware copies from System32 to the .NET framework directory.
The core of the evasion strategy lies in AppDomainManager injection. The attackers modify the configuration of the legitimate executable to load a malicious DLL.
.webp "China-Aligned APT Hackers Exploit Windows Group Policy to Deploy Malware 5")
This configuration file directs the application to initialize a custom domain from SharedReg.dll. This DLL bypasses the Antimalware Scan Interface (AMSI) and decrypts the final NosyDoor payload.
.webp "China-Aligned APT Hackers Exploit Windows Group Policy to Deploy Malware 6")
The backdoor then retrieves its configuration. Decrypted configuration (log.cached, beautified), and initiates communication with Microsoft OneDrive using RSA-encrypted metadata to receive commands stored in task files.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
