Researchers uncovered Cuckoo Spear, a new threat actor associated with the APT10 group, demonstrating persistent stealthy operations within victim networks for two to three years.
The advanced persistent threat (APT) utilizes novel techniques and tools to conduct cyber espionage, emphasizing the critical need for robust security protocols, continuous threat monitoring, and collaborative intelligence sharing among organizations and governments to counter sophisticated nation-state adversaries like APT10.
Since December 2019, the LODEINFO malware, attributed to the Chinese state-sponsored APT10 group, has been actively targeting critical infrastructure and academic sectors.
Recent investigations linked LODEINFO to the new NOOPDOOR malware, collectively termed “Cuckoo Spear.”.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
It leverages both malware variants for persistent network infiltration and data exfiltration, strongly indicating espionage as the primary motive.
The overlap in tactics, victims, and malware arsenal with previous APT10 operations, including “Earth Kasha” and “MirrorFace,” solidifies the attribution to this sophisticated threat actor.
It has been identified that NOOPDOOR, a sophisticated 64-bit modular backdoor using DGA-based C2 communication, is loaded by the NOOPLDR decryptor, which threat actors employ in multi-stage attacks.
LODEINFO, a primary backdoor, installs NOOPDOOR as a secondary backdoor to maintain persistent access within compromised networks for over two years.
NOOPDOOR provides long-term covert operations, while LODEINFO likely serves as the initial infection vector and command-and-control channel.
Cybereason’s research team, comprising Jin Ito, Loic Castel, and Kotaro Ogino, has comprehensively investigated the latest NOOPDOOR and NOOPLDR malware variants, detailing their advanced functionalities and tactics within a Threat Analysis Report.
Their analysis delves into the malware’s sophisticated capabilities, including DGA-based C2 communication, decryption mechanisms, and modular architecture, shedding light on the threat actor’s evolving arsenal and techniques for stealthy infiltration, data exfiltration, and persistent network foothold.
Recent incident response efforts uncovered a sophisticated threat actor toolset designed for covert intrusion, data exfiltration, and persistent control.
Advanced reverse engineering revealed a primary reliance on spear phishing, specifically LODEINFO, for initial access, underscoring the need for robust defenses against evolving threat actor tactics.
The threat actors are deploying NOOPDOOR through Scheduled Tasks and WMI Consumer Events to establish persistence.
In the first method, MSBuild is abused to compile a malicious XML file into the NOOPDOOR loader.
The second method exploits WMI event consumers, triggering ActiveScript execution and subsequently leveraging MSBuild for NOOPDOOR compilation.
Both techniques demonstrate the adversaries’ adaptability in utilizing system tools for malicious purposes.
Threat actors establish persistent access to compromised systems by installing malicious Windows services and loading unsigned dynamic-link libraries (DLLs) into memory.
It allows attackers to execute malicious code with elevated privileges, maintain covert operations, and evade detection by security solutions that rely on signature-based detection methods.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access