This Threat Analysis Report will delve into a newly discovered nation-state level threat Campaign tracked by Cybereason as Cuckoo Spear. It will outline how the associated Threat Actor persists stealthily on their victims' network for years, highlighting strategies used across Cuckoo Spear and how defenders can detect and prevent these attacks.
In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.
This is the first part of three regarding the Cuckoo Spear threat campaign. It introduces the Threat Actor, the related campaign and their arsenal, and details the TTPs observed during the various incidents. The two next parts are going to cover a reverse engineering of their arsenal (NOOPLDR/NOOPDOOR in particular) and how to fight against this threat actor.
We have published Indicators of compromise, Yara rules and Python scripts related to this report and they are available on the following public Github repository : https://github.com/Cybereason-Open-Source/CuckooSpear/
For the past several years, since December 2019, the cybersecurity landscape has been continuously challenged by the emergence and evolution of the LODEINFO malware. Recent investigations suggest the involvement of a Chinese state-backed Advanced Persistent Threat (APT) group, likely APT10, in orchestrating these attacks. A recent development identified ties between the Threat Actor utilizing LODEINFO with a new malware family that is called NOOPDOOR. Cybereason named this threat Campaign “Cuckoo Spear”.
In this report, the Cybereason team examined several key aspects regarding Cuckoo Spear:
|
Summary |
||
|
Victimology |
Country |
Japan |
|
India |
||
|
Taiwan |
||
|
Industries |
Academic, Government, Manufacturing |
|
|
TTPs |
Initial Infection Vectors |
Spear-Phishing |
|
Exploit against public-facing applications E.g. Array AG, FortiOS/FortiProxy and Proself |
||
|
Techniques |
DLL Side-Loading |
|
|
Exploitation for Client Execution |
||
|
Malwares |
Downloader / Malware Loader |
DOWNIISA |
|
NOOPLDR |
||
Backdoor |
LODEINFO |
|
|
NOOPDOOR |
||
|
Infostealer |
MirrorStealer |
|
|
MSRAStealer |
||
|
Tools |
Cobalt Strike |
|
Intrusion Set Table of Threat Actors Behind NOOPDOOR
Note: Cybereason began writing this article in the beginning of January 2024 after encountering multiple cases of compromise from the same Threat Actor. The adversary was using weaponized tools that were not public at the time. On the week of the 22nd of January 2024, threat intelligence reports from Trend Micro and ESET were published highlighting similar findings.
Trend Micro and ESET published their research findings in JSAC2024 regarding Threat Actors leveraging LODEINFO and the new backdoor dubbed NOOPDOOR. From the intrusion sets observed in multiple campaigns, both companies have attributed Threat Actors behind this campaign to a group related to APT10, specifically Trend Micro have attributed the Threat Actors as “Earth Kasha”. Threat Actors behind NOOPDOOR consisted of Intrusion Sets represented in the table above during the campaign observed by Cybereason, ESET, and Trend Micro.
The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks. The intention behind these behavior is likely espionage, as Threat Actors targeted critical infrastructure sectors and academic institutions, which are often intelligence gathering targets.
APT10 is a sophisticated Chinese state-sponsored cyber espionage group that has been active as early as 2006, according to the Department of Defense. The information security community widely believes the group's focus is to support Chinese national security goals by gathering intelligence against the relevant targets. APT10 often targets various critical infrastructure sectors such as communications, manufacturing and various public sectors.
Cybereason documented the campaign as “Cuckoo Spear”. Cuckoo Spear is related to the APT10 Intrusion Set because of the links made between various incidents from Threat Actors “Earth Kasha” and “MirrorFace” including both APT10’s old arsenal (LODEINFO) and new arsenal presented in this report.
This attribution is made based on four main aspects :
This section describes the arsenal related to Cuckoo Spear observed on the different incidents Cybereason worked on and the links that tie them together.
|
Backdoor |
Incident A |
Incident B |
Incident C |
Incident D |
|
Cobalt Strike GOSICLOADER |
YES |
|||
|
LODEINFO |
YES |
|||
|
NOOPLDR-DLL |
YES |
YES |
||
|
NOOPLDR-C# |
YES |
YES |
YES |
|
|
DOWNJPIT |
YES |
|||
|
Incident Start Date |
April 2021 |
May 2021 |
November 2021 |
October 2023 |
Cybereason re-used the naming convention established by Trend Micro and ESET, naming the loader NOOPLDR in reference to the NOOPDOOR backdoor that is loaded afterwards. The names used in this report are the following:
LODEINFO Execution Flow
LODEINFO, named by JPCERT in their blog, is a backdoor known to be active since 2019. Threat actors often deploy LODEINFO by utilizing DLL Side-loading, which loads LODEINFO loader DLL into legitimate executables. This execution flow attempts to load LODEINFO shellcode and execute the backdoor in memory. The currently known LODEINFO version is v0.7.3 and was observed first in the wild in October 2023.
The interesting aspect of LODEINFO is that the developers change the C2 command functionality after the version update, often removing the previously supported commands. For example, developers removed the C2 command to remove files (rm) between v0.6.3 and v0.6.6, but this functionality came back after v0.6.8. The comparative graph of backdoor commands provided by ITOCHU Cyber & Intelligence Inc consists of detailed information of the backdoor commands as well as the changes over the version v0.6.5, v0.7.1, and v0.7.2/v0.7.3.
GOSICLoader is a Golang based malware loader, which is responsible for loading Cobalt Strike. The loader abuses DLL Side-Loading, which loads GOSICLoader into legitimate process jcef_helper.exe, a JetBrains plugin process.
GOSICLoader Execution Flow
DOWNJPIT is a fileless downloader dubbed by Kaspersky. DOWNJPIT is responsible for downloading, decrypting and executing LODEINFO.
DOWNJPIT Execution Flow Presented By Kaspersky HITCON 2021
DOWNJPIT has been spotted in one of the incidents related to Cuckoo Spear .
NOOPLDR/NOOPDOOR Execution Flow
In this report, Cybereason exhibits a new backdoor utilized by Threat Actors called NOOPDOOR, as dubbed by ESET and Trend Micro. NOOPDOOR is a 64-bit modular backdoor which utilizes DGA-based C2 communication. The backdoor is seen to be loaded by a loader called NOOPLDR, which appears to have two different variants.
NOOPLDR is responsible for decrypting and executing NOOPDOOR, which utilizes DGA to actively communicate with the C2 server.
Cybereason observed LODEINFO and NOOPDOOR both in one case. As mentioned in different reports, Threat Actors started to incorporate NOOPDOOR in the new campaigns. Based on the analysis of LODEINFO and as well as on the observation of these campaigns, LODEINFO appears to be utilized as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping persistence within the corporate network.
In this section, Cybereason outlines all the behaviors observed during incidents associated with the Cuckoo Spear campaign.
Other reports documenting this Threat Actor mentioned the following vulnerabilities used as initial access vector :
In the Cuckoo Spear campaign, two out of those three vulnerabilities have been identified as initial access vector leads.
Spear-phishing is the common initial access technique observed by Threat Actors utilizing LODEINFO; however, malicious actors have started to shift their tactics to exploiting vulnerabilities.
NOOPDOOR must be loaded first on the victim machines, which is done through persistence mechanisms and Cybereason observed three different methods.
Threat Actors maintain persistence within the environment by abusing Scheduled Tasks. The scheduled task consists of execution of MSBuild, which loads malicious XML files and compiles the NOOPDOOR loader at runtime.
MSBuild Execution Via Schedule Task
The Threat Actors leverage the WMI event consumer, which executes the main action when it gets triggered by a filter. The Threat actor then utilizes ActiveScript, which appears to execute in the JScript engine. For the consumer action in this WMI event, the Threat Actor leverages MSBuild execution for NOOPDOOR loader, similar to the scheduled task which also leverages MSBuild.
Utilizing WMI event consumers are the alternate methodologies to persist within the environment.
WMI Event Consumers For NOOPDOOR
The process responsible for hosting WMI event consumers for scripting, such as ActiveScript, is scrcons.exe, which then spawns necessary processes declared in its scripts.
NOOPLDR/NOOPDOOR Attack Tree
Threat actors also maintain persistence within the environment by creating malicious services that load unsigned DLL files.
In this case, unsigned DLL files are written to the C:\Windows\System32\ folder.
An entry in the registry is found, indicating that this DLL is loaded under svchost.exe process through a Service DLL.
Extract From Velociraptor IR Tool
The screenshot above shows a registry key involving a Service named DssSvc and a ServiceDll configured to be C:\Windows\System32\pgodb100.dll, which is in fact NOOPLDR (DLL version).
To summarize how Service DLLs are used as persistence, one technique involves creating a new Windows service hosted by svchost.exe. Here is an overview of the process:
This method leverages the Windows service infrastructure to achieve persistence by loading a custom DLL into svchost.exe, ensuring execution of specified code on system restarts.
In a detection perspective, defenders can look for the loading of unsigned DLL under the following process:
Cybereason observed several domains created by the DGA, and will detail these aspects in the following sections.
DGA Sample
Aside from the C2 domains that connect to external ip addresses, Cybereason has also observed internal C2 communications amongst the infected machines.
Cybereason identified processes injected with NOOPDOOR listening on the following CP ports :
This allows the Threat Actor to connect to internal machines in case the external C2 is unavailable, streamlining C2 connections to an internal server that will be the sole point of communication with the Internet.
Internal Communication To NOOPDOOR On Port 5984
This also gives the Threat Actor a capability to remotely control a machine that is not connected to the Internet or has limited outbound network capability.
During the different cases Cybereason observed, Domain Generation Algorithm (DGA) have been used :
Threat actors often use dynamic DNS services like No-IP to manage their command and control (C2) infrastructure. Since the IP address of a C2 server can change frequently, using a dynamic DNS service helps maintain consistent communication with malware or compromised systems.
Due to their nature, it's more difficult for cybersecurity systems to track and blacklist IP addresses associated with Dynamic DNS services as, by design, the IP addresses change on a regular basis. This dynamic aspect helps Threat Actors avoid detection by security tools that rely on IP blacklists. Threat actors can create redundant systems, ensuring that if one domain is taken down or blocked, others are still operational.
Cybereason identified the Threat Actor behind these attacks using the following domains through a service similar to NO-IP :
In addition to these NO-IP domains, Cybereason also witnessed additional domains being used. These domains were mainly registered by companies such as NAMECHEAP or Tucows.
In the screenshot below, Cybereason lists the IP addresses related to the domains that were resolved during the observation period of each incident :
Resolved Cuckoo Spear IPs (VirusTotal)
Those IP addresses are mostly hosted in Japan under hosting services such as Akamai or AS-CHOOPA. The other countries are :
In one instance from Cuckoo Spear, the Threat Actor utilizes scheduled tasks to conduct lateral movement within the environment. They create the scheduled task by abusing schtasks.exe, which then creates the scheduled task responsible for executing the C# Loader via MSBuild execution on the startup.
Scheduled Task Creation On Remote Machine
Once the scheduled task creation is complete, another instance of schtasks.exe executes the created task immediately on the remote machine
The Threat Actor deployed several techniques of defense evasion in both NOOPDOOR and NOOPLDR.
Aside from the attacker tools, the Threat Actor also deleted event logs on target systems.
The Threat Actor also displayed post-exploitation behavior, discovering the Active Directory through net.exe commands or the local network through ping.exe and nslookup.exe tools.
Post-Exploitation Behavior Attack Tree
In one incident, the Threat Actors utilized the following CMD commands as part of the post-exploitation.
/ccopy \\[REDACTED]\C$\Windows\System32\Winevt\Logs\security.evtx
/cdel C:\Users\[REDACTED]AppData\Local\Temp\Cookie-* /f /q
/cdel \\[REDACTED]\C$\Windows\System32\RegSSHelper.exe
/cdel security.evtx
/cnet group "domain controllers" /domain
/cnet use * /del /y
/cnet use \\[REDACTED]\ipc$ [REDACTED] /user:[REDACTED]
/cnet use \\[REDACTED]\netlogon [REDACTED] /user:[REDACTED]
/cnet user [REDACTED] /domain
/cnet user [REDACTED] /domain
/cnet user [REDACTED] /domain
/cnet user [REDACTED] /domain
/cnslookup [REDACTED]
/cschtasks /create /s [REDACTED] /sc onstart /tn "Microsoft\Windows\Windows Defender\Windows Defender Maintenance" /tr "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\system32\[REDACTED].xml" /ru System /u:"[REDACTED]" /p:"[REDACTED]" /f
/cschtasks /run /s [REDACTED] /tn "Microsoft\Windows\Windows Defender\Windows Defender Maintenance" /u:"[REDACTED]" /p:"[REDACTED]"
These findings are very similar to those from JPCERT published back in 2023 :
Source : https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_en.pdf
Keep an eye out for part 2 in our Cuckoo Spear analysis in the research category.
Jin Ito, Incident Response Engineer, Cybereason IR Team
Jin Ito is an Incident Response Engineer with the Cybereason Incident Response team. Formerly an Incident Response Engineer at Fujitsu, he holds several cybersecurity certificates such as GREM, GCFA, and OSCP. Aside from his digital forensic responsibilities, he loves creating and reverse engineering malware.
Loïc Castel, Incident Response Investigator, Cybereason IR Team
Loïc Castel is an Investigator with the Cybereason IR team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.
Kotaro Ogino, CTI Analyst, Cybereason Security Operations Team
Kotaro is a CTI Analyst with the Cybereason Security Operations team. He is involved in threat hunting, threat intelligence enhancements and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree in information and computer science.