Researchers have recently uncovered Cuckoo Spear, an advanced threat actor associated with the renowned APT10 group. This sophisticated adversary has demonstrated persistent and stealthy operations within victim networks, maintaining a presence for two to three years. The discovery highlights the growing complexity of cyber espionage tactics and underscores the critical need for robust security protocols and continuous threat monitoring. Cuckoo Spear employs novel techniques and tools to execute its operations, emphasizing the importance of collaborative intelligence sharing among organizations and governments to counter such sophisticated nation-state adversaries.
Since December 2019, the LODEINFO malware, attributed to APT10, has been actively targeting critical infrastructure and academic sectors. Recent investigations have linked LODEINFO to a newly identified malware variant, NOOPDOOR, which, together with LODEINFO, forms the “Cuckoo Spear” threat suite. This combination of malware is used for persistent network infiltration and data exfiltration, indicating that espionage remains the primary motive behind these operations. The dual use of LODEINFO and NOOPDOOR showcases a strategic approach to maintaining long-term covert access within compromised networks.
The NOOPDOOR malware is a sophisticated 64-bit modular backdoor that utilizes domain-generation algorithm (DGA)-based command-and-control (C2) communication. It is loaded by the NOOPLDR decryptor, which is part of a multi-stage attack strategy. The use of NOOPDOOR for long-term covert operations, coupled with LODEINFO serving as the initial infection vector and command-and-control channel, illustrates the advanced nature of these threat actors’ tactics. The malware’s modular architecture and sophisticated functionalities, such as decryption mechanisms and DGA-based C2, highlight the evolving arsenal and techniques employed by Cuckoo Spear.
Cybereason’s research team, including Jin Ito, Loic Castel, and Kotaro Ogino, has provided an in-depth analysis of the NOOPDOOR and NOOPLDR malware variants. Their report reveals that Cuckoo Spear’s threat actors primarily use spear phishing through LODEINFO for initial access. They employ methods such as abusing Scheduled Tasks and WMI Consumer Events to ensure persistence within compromised systems. Techniques like leveraging MSBuild to compile malicious XML files and exploiting WMI event consumers for ActiveScript execution underscore the adversaries’ adaptability and resourcefulness. This advanced threat landscape necessitates heightened vigilance and adaptive defenses to mitigate the risks posed by such sophisticated cyber espionage activities.
Reference:
