China-Aligned Cyber Group ‘LongNosedGoblin’ Exploits Windows Group Policy for Espionage
A newly identified cyber threat group, dubbed LongNosedGoblin, has been implicated in a series of sophisticated cyber espionage attacks targeting governmental entities across Southeast Asia and Japan. Active since at least September 2023, this China-aligned cluster employs advanced techniques to infiltrate and persist within targeted networks.
Exploitation of Windows Group Policy
LongNosedGoblin leverages Windows Group Policy—a tool designed for centralized management of settings and permissions on Windows machines—to deploy malware across compromised networks. By manipulating Group Policy, the attackers can distribute malicious payloads efficiently, ensuring widespread infection within the targeted organizations.
Utilization of Cloud Services for Command and Control
In a strategic move to evade detection, LongNosedGoblin utilizes popular cloud services such as Microsoft OneDrive and Google Drive as command and control (C&C) servers. This approach allows the group to blend malicious traffic with legitimate network activity, complicating efforts to identify and mitigate the threat.
Custom Toolset Employed
The group’s operations are characterized by a diverse array of custom-developed tools, primarily built using C#/.NET frameworks. Key components include:
– NosyHistorian: Gathers browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, providing insights into user activities.
– NosyDoor: A backdoor that communicates with C&C servers via OneDrive, capable of executing commands to exfiltrate or delete files and run shell commands.
– NosyStealer: Exfiltrates browser data from Chrome and Edge, uploading encrypted TAR archives to Google Drive.
– NosyDownloader: Downloads and executes payloads in memory, such as NosyLogger.
– NosyLogger: A modified version of DuckSharp, designed to log keystrokes, capturing sensitive information.
Discovery and Analysis
ESET, a Slovak cybersecurity firm, first detected LongNosedGoblin’s activities in February 2024 within a Southeast Asian governmental system. The attackers had already established a foothold, making it challenging to determine the initial access vector. Subsequent investigations revealed that while many systems were affected by NosyHistorian between January and March 2024, only a select subset were infected with NosyDoor, indicating a targeted approach.
Notably, some droppers used to deploy NosyDoor contained execution guardrails, restricting operation to specific victim machines. This tactic underscores the group’s precision in targeting and minimizing exposure.
Additional Tools and Techniques
Beyond the primary toolset, LongNosedGoblin employs various utilities to maintain persistence and conduct surveillance:
– Reverse SOCKS5 Proxy: Facilitates covert communication channels within the compromised network.
– Video Recorder Utility: Captures audio and video, enabling comprehensive monitoring of the target environment.
– Cobalt Strike Loader: Deploys the Cobalt Strike framework, a legitimate penetration testing tool often repurposed for malicious activities.
Potential Links to Other Threat Actors
While definitive connections remain unconfirmed, LongNosedGoblin’s tactics exhibit similarities with other known clusters, such as ToddyCat and Erudite Mogwai. Additionally, parallels between NosyDoor and LuckyStrike Agent, including the presence of Paid Version in the PDB path of LuckyStrike Agent, suggest the possibility of shared tools or services among multiple China-aligned threat groups.
Global Reach and Implications
Further investigations uncovered a variant of NosyDoor targeting an organization in a European Union country, utilizing Yandex Disk as a C&C server. This expansion indicates that LongNosedGoblin’s operations are not confined to Asia, highlighting the global nature of cyber espionage threats.
Conclusion
LongNosedGoblin’s sophisticated use of Windows Group Policy for malware deployment, combined with its strategic exploitation of cloud services for C&C operations, exemplifies the evolving tactics of state-aligned cyber threat actors. Organizations worldwide must remain vigilant, implementing robust cybersecurity measures to detect and mitigate such advanced persistent threats.
