A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan.
The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023.
“LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” security researchers Anton Cherepanov and Peter Strýček said.
Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers.
The attacks are characterized by the use of a varied custom toolset that mainly consists of C#/.NET applications –
- NosyHistorian, to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox
- NosyDoor, a backdoor that uses Microsoft OneDrive as C&C and executes commands that allow it to exfiltrate files, delete files, and execute shell commands
- NosyStealer, to exfiltrate browser data from Google Chrome and Microsoft Edge to Google Drive in the form of an encrypted TAR archive
- NosyDownloader, to download and run a payload in memory, such as NosyLogger
- NosyLogger, a modified version of DuckSharp that’s used to log keystrokes
| NosyDoor execution chain |
ESET said it first detected activity associated with the hacking group in February 2024 on a system of a governmental entity in Southeast Asia, eventually finding that Group Policy was used to deliver the malware to multiple systems from the same organization. The exact initial access methods used in the attacks are presently unknown.
Further analysis has determined that while many victims were affected by NosyHistorian between January and March 2024, only a subset of these victims were infected with NosyDoor, indicating a more targeted approach. In some cases, the dropper used to deploy the backdoor using AppDomainManager injection has been found to contain “execution guardrails” that are designed to limit operation to specific victims’ machines.
Also employed by LongNosedGoblin are other tools like a reverse SOCKS5 proxy, a utility that’s used to run a video recorder to capture audio and video, and a Cobalt Strike loader.
The cybersecurity company noted that the threat actor’s tradecraft shares tenuous overlaps with clusters tracked as ToddyCat and Erudite Mogwai, but emphasized the lack of definitive evidence linking them together. That said, the similarities between NosyDoor and LuckyStrike Agent and the presence of the phrase “Paid Version” in the PDB path of LuckyStrike Agent have raised the possibility that the malware may be sold or licensed to other threat actors.
“We later identified another instance of a NosyDoor variant targeting an organization in an E.U country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server,” the researchers noted. “The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups.”
