Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
Malware hides in XML files right under the noses of administrators.
Cybereason has published a follow-up investigation into the activities of the APT10 hacker group as part of the malicious operation Cuckoo Spear. The new part takes a closer look at the NOOPDOOR and NOOOPLDR malware. The purpose of the study is to help cybersecurity professionals better understand the methods and tools of attackers to increase network protection.
Particular attention is paid to the analysis of the NOOPLDR-DLL tool. This malicious code loader is able to gain a foothold on the system as a service, obfuscate its code for more difficult analysis, and hide strings using XOR encryption. The tool also performs shell injection into processes through modified DLLs.
NOOPDOOR is an encrypted shellcode that is retrieved from the Windows registry and decrypted using AES-CBC using MachineId. The malicious code is then injected into the memory of the processes. In doing so, attackers use their own system calls to bypass protection and hide their presence.
Cybereason also provided an analysis of another version of the bootloader, NOOPLDR in C#. This version stores malicious code in an XML file and runs it using "msbuild.exe". Despite the strong obfuscation of the code, the researchers managed to decipher its work. It dynamically loads shellcode from a file or registry, verifies its integrity, and decrypts it.
In addition, the study affects the client part of NOOPDOOR, which has functionality for interacting with C2 servers. Domain names are generated using the DGA algorithm, which allows hackers to change the addresses of control servers and makes them difficult to detect and block.
Cybereason also identified a separate server component called NOOPDOOR that can modify firewall rules, use custom protocols for communication, and execute commands to steal data and control the infected network.
Experts emphasize that the activities of APT10 are associated with long-term penetration into the networks of organizations. To effectively mitigate the threat, it is recommended that you work with an incident response team to conduct a comprehensive network cleanup and prevent attackers from returning.
To detect signs of malware attack and exploitation, the investigation provides recommendations for search queries that can help you track suspicious process behavior and network activity associated with Cuckoo Spear.
Source
Cybereason has published a follow-up investigation into the activities of the APT10 hacker group as part of the malicious operation Cuckoo Spear. The new part takes a closer look at the NOOPDOOR and NOOOPLDR malware. The purpose of the study is to help cybersecurity professionals better understand the methods and tools of attackers to increase network protection.
Particular attention is paid to the analysis of the NOOPLDR-DLL tool. This malicious code loader is able to gain a foothold on the system as a service, obfuscate its code for more difficult analysis, and hide strings using XOR encryption. The tool also performs shell injection into processes through modified DLLs.
NOOPDOOR is an encrypted shellcode that is retrieved from the Windows registry and decrypted using AES-CBC using MachineId. The malicious code is then injected into the memory of the processes. In doing so, attackers use their own system calls to bypass protection and hide their presence.
Cybereason also provided an analysis of another version of the bootloader, NOOPLDR in C#. This version stores malicious code in an XML file and runs it using "msbuild.exe". Despite the strong obfuscation of the code, the researchers managed to decipher its work. It dynamically loads shellcode from a file or registry, verifies its integrity, and decrypts it.
In addition, the study affects the client part of NOOPDOOR, which has functionality for interacting with C2 servers. Domain names are generated using the DGA algorithm, which allows hackers to change the addresses of control servers and makes them difficult to detect and block.
Cybereason also identified a separate server component called NOOPDOOR that can modify firewall rules, use custom protocols for communication, and execute commands to steal data and control the infected network.
Experts emphasize that the activities of APT10 are associated with long-term penetration into the networks of organizations. To effectively mitigate the threat, it is recommended that you work with an incident response team to conduct a comprehensive network cleanup and prevent attackers from returning.
To detect signs of malware attack and exploitation, the investigation provides recommendations for search queries that can help you track suspicious process behavior and network activity associated with Cuckoo Spear.
Source
