New Cyber Threat: LongNosedGoblin Targets Southeast Asia and Japan
A recently identified threat cluster, referred to as LongNosedGoblin, has emerged as a significant cyber adversary, primarily targeting governmental organizations in Southeast Asia and Japan. This revelation comes from ESET, a Slovak cybersecurity firm, which indicates that this threat group has been operational since at least September 2023, focusing on cyber espionage as their main objective.
Attack Methodology: Exploiting Group Policy for Malware Deployment
The LongNosedGoblin group employs Group Policy, a management feature for Windows systems, to distribute malware within compromised networks. According to ESET researchers Anton Cherepanov and Peter Strýček, this method allows the group to effectively manage and deploy malicious software across various systems. They leverage cloud services such as Microsoft OneDrive and Google Drive as command and control (C&C) servers, facilitating seamless communication between the compromised systems and the attackers.
Understanding Group Policy in Cyberattacks
Group Policy is essential for defining configurations for groups of users and client computers, and managing server setups on Windows. Its capabilities make it a valuable tool for attackers who aim to establish control over targeted networks, allow for easy malware deployment, and maintain a foothold in the compromised environment.
A Diverse Toolkit: Custom Malware Applications
The threat actor employs an extensive range of custom-built tools, predominantly revolving around C# and .NET applications. Key components of their toolkit include:
- NosyHistorian: Gathers browser history from popular browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
- NosyDoor: A sophisticated backdoor that facilitates commands for file exfiltration, deletion, and execution of remote shell commands. This tool notably operates via Microsoft OneDrive.
- NosyStealer: Extracts browser data from Google Chrome and Microsoft Edge and uploads it to Google Drive in an encrypted format.
- NosyDownloader: Responsible for downloading payloads into memory, including other tools such as NosyLogger.
- NosyLogger: A modified keystroke logger that captures user input.
Initial Revelations and Targeted Strategy
ESET’s analysis traced the group’s activity back to February 2024, when they first detected their presence on a Southeast Asian government system. The researchers observed that the group utilized Group Policy to deploy malware across multiple systems within the same organization. Although the precise methods used for initial access remain unclear, the targeting appears to be quite specific. Notably, while many victims encountered NosyHistorian, only a select few were compromised by NosyDoor, indicating a strategically selective approach.
Examining Tactical Variations and Cross-Connections
LongNosedGoblin’s operational methods also encompass a reverse SOCKS5 proxy and tools that can record audio and video, thus enhancing their spying capabilities. Additionally, they employ a Cobalt Strike loader, a common tool used for structured penetration tests and security assessments. ESET noted potential overlaps in tactics, techniques, and procedures (TTPs) with other threat groups like ToddyCat and Erudite Mogwai, although conclusive links remain unproven.
The Broader Implications of Malware Sharing
The correlation between tools such as NosyDoor and others in the cybercriminal ecosystem raises questions about the distribution of these tools among various groups. As per ESET’s findings, a variant of NosyDoor was observed targeting an organization in an EU nation, using Yandex Disk as a C&C server. This indicates the malware’s adaptability and reinforces the idea that it may be shared across different China-aligned threat groups.
