A newly discovered cyber espionage operation, referred to as “Cuckoo Spear,” has brought to light the ongoing activities of a state-backed Chinese hacking group that has been quietly infiltrating Japanese organizations. This covert campaign is alarming due to its use of malware tools, such as LODEINFO and NOOPDOOR. These tools are designed to gather and exfiltrate sensitive information, as well as to remain hidden for long periods of time, going unnoticed for up to three years.
Attribution
The cybersecurity company Cybereason has been monitoring this campaign, and links it to the Advanced Persistent Threat (APT) group known as APT10. This group goes by several names, including Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda. Active since at least 2006, APT10 is a notorious Chinese state-sponsored cyber espionage group. They are known for their long-term infiltration tactics and focus on infrastructure sectors such as communications, manufacturing, and public services to support China’s national security objectives.
Technical Analysis of the Malware
In the Cuckoo Spear campaign, the primary malware tools used are LODEINFO and NOOPDOOR. LODEINFO was first identified in December 2019 and has since evolved to include anti-analysis techniques. It is usually spread through spear-phishing emails. This malware is capable of executing commands such as running shellcode, logging keystrokes, capturing screenshots, terminating processes, and exfiltrating files to a server controlled by the threat actors.
NOOPDOOR is a more recent addition to the APT10 toolkit and shares code similarities with another backdoor called ANEL Loader. NOOPDOOR enables the attackers to upload and download files, execute shellcode, and run additional programs, which helps them maintain persistence and evade detection. Cybereason has observed that while LODEINFO serves as the primary backdoor, NOOPDOOR acts as a secondary backdoor, providing redundant access and control within the targeted networks. This dual-backdoor strategy ensures that the threat actors can continue their operations even if one of the backdoors is detected and removed.
Methodologies and Attack Vectors
The Cuckoo Spear campaign has demonstrated adaptability in its methods of gaining access to targets. Initially, the threat actors relied heavily on spear-phishing to infiltrate systems. They have recently adjusted their tactics to exploit vulnerabilities in public-facing applications. This has been seen specifically through the exploitation of unpatched flaws in various software to distribute LODEINFO and NOOPDOOR. The vulnerabilities they have targeted include those in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727). This adjustment to exploiting software vulnerabilities showcases the group’s capability to adapt their techniques to bypass security measures.
Three primary persistence mechanisms have been identified in the deployment of NOOPDOOR:
- The attackers misuse scheduled tasks to run MSBuild, which then loads harmful XML files and puts together the NOOPDOOR loader while it’s running.
- One technique uses the Windows Management Instrumentation (WMI) event consumer to carry out actions when a filter triggers them. The attackers use ActiveScript within the JScript engine, applying MSBuild to run the NOOPDOOR loader.
- Windows Services (Service DLL): Malicious services are set up to load unsigned DLL files, ensuring NOOPDOOR stays active on the system.
Implications of the Cuckoo Spear Campaign
The Cuckoo Spear campaign brings to focus the requirement for strengthened cybersecurity protocols, thorough threat intelligence, and global cooperation. Cyber threats from nation-state actors, such as APT10, are well-funded, posing challenges to traditional security defenses. To counter these threats effectively, organizations and governments would be well advised to implement advanced security protocols, ensure regular updates and patches to their systems, and work closely with cybersecurity experts to stay ahead of threats. Proactive threat hunting is also necessary to identify and mitigate risks before they can cause damage. Real-time monitoring allows for the quick detection of suspicious activities, enabling swift responses to potential breaches. High level incident response capabilities could also be implemented to manage and neutralize APTs like those deployed in the Cuckoo Spear campaign.
The Cuckoo Spear campaign points out the growing intricacy of cyber espionage activities and the need for cybersecurity strategies. Organizations and governments alike must work to continuously improve their defenses to effectively counter these threats.
Photo credits: Thares2020, AdobeStock.com