A sophisticated cyberespionage campaign targeting governmental entities in Southeast Asia and Japan has unveiled a new China-aligned threat actor dubbed LongNosedGoblin.<\/p>\n
Active since at least September 2023, this advanced persistent threat (APT) group distinguishes itself by leveraging a diverse toolset of custom C#\/.NET malware families.<\/p>\n
Their operations primarily focus on intelligence gathering, employing stealthy techniques to infiltrate sensitive networks and maintain long-term access without detection.<\/p>\n
The group\u2019s most notable tactic involves the abuse of Windows Group Policy<\/a> for lateral movement and malware deployment.<\/p>\n By compromising the Active Directory infrastructure, attackers distribute malicious payloads across networked machines, effectively bypassing traditional perimeter defenses.<\/p>\n This method allows them to propagate tools like NosyHistorian, which harvests browser history to identify high-value targets for further exploitation of critical assets.<\/p>\n Welivesecurity analysts identified<\/a> the malware in early 2024 within a Southeast Asian government network, where multiple machines were compromised simultaneously via Group Policy updates.<\/p>\n Investigations revealed that the attackers disguised their malware as legitimate policy files, such as History.ini or Registry.pol, to blend into the Group Policy cache directories.<\/p>\n This strategic camouflage highlights the group\u2019s emphasis on evasion and persistence within compromised environments.<\/p>\n The group\u2019s primary backdoor, NosyDoor, exemplifies their reliance on living-off-the-land techniques and cloud-based command and control infrastructure.<\/p>\n The malware operates through a complex three-stage execution chain. NosyDoor execution chain, designed to evade detection by standard security products.<\/p>\n The infection begins with a dropper component that decrypts embedded payloads using the Data Encryption<\/a> Standard (DES) with the key UevAppMo.<\/p>\n This dropper utilizes execution guardrails. Dropper code with execution guardrails, to ensure the malware only detonates on specific victim machines.<\/p>\n Once validated, it establishes persistence by creating a scheduled task that executes a legitimate Windows binary, UevAppMonitor.exe, which the malware copies from System32 to the .NET framework directory.<\/p>\n The core of the evasion strategy lies in AppDomainManager injection. The attackers modify the configuration of the legitimate executable to load a malicious DLL.<\/p>\n This configuration file directs the application to initialize a custom domain from SharedReg.dll. This DLL bypasses the Antimalware Scan<\/a> Interface (AMSI) and decrypts the final NosyDoor payload.<\/p>\n The backdoor then retrieves its configuration. Decrypted configuration (log.cached, beautified), and initiates communication with Microsoft OneDrive using RSA-encrypted metadata to receive commands stored in task files.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post China-Aligned APT Hackers Exploit Windows Group Policy to Deploy Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNosyDoor Execution Mechanism<\/strong><\/h2>\n
![\"NosyDoor](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5K3rCQ5AYGEaHohK280kbnLR8q1qB8Z-ZjezkZyIQlp1RKD2CAso773SGCn2U05IQ46E7hTr8n1PV-4rAOi3st_BnJpmzewTn-y0bt_m6lE4uUqU1jFmn-u6nED46a1vYVaCH3lKmI0ZLzNsapbydhLSqowuDw4cNpf5EhKAmyvAoWp5Dpw__TvhCjcs\/s16000\/NosyDoor%2520execution%2520chain%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
![\"NDropper](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjs2zCbd7FB0VAZwhQb32ILiJIGGrwmkFfOhSDaSBeZQtzVIFHqdnQLU5TJ88pGIzkeJfWnxqPvfQJ1th67AQBkasg1m7D_I3Z4hX9TWn7IxQblhSzHcRwwgIy6YwQId7udGMSnWGWlz8-QvHhNvnK5Mp6tiT2Of7bo3NkIAD3eKxA0WwgyDfaX4x8R_Og\/s16000\/NDropper%2520code%2520with%2520execution%2520guardrails%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
![\"Content](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXLlBzq132bmi4Ps19qx9RHG4X8EiLHEWKjS5vNF1DlwY7WgDTJVTWFbc1B1e217U_s7v0EGcEd0GA21rhrVry_nOBQcXy30IiC97_IqJT6OJQEMJXxJj8Vw3vL-R75AltVdt_baLsYI0ymlUKN1_3UAwpR7hsQNR6gTiZopK0kL35Dxd9MlA0SUmp-5A\/s16000\/Content%2520of%2520UevAppMonitor.exe.config%2520with%2520specified%2520AppDomainManager%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
![\"NosyStealer](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgx_Y_BhOd6e-Xlh3Zd-8MN9xNwgGCWZyg5kRarPbEVB1b-et2EqLKrdniLQaXsJPGJheKKVUwfW-mbVDf6ol5edybLwtcXEjAJCyUNWJPqZa7UMu0cPeQbE6ZObKh09Rf4kzdH14IphM_f8yFH8S4bgKcOMMTcGwtSnucHdBJ-E42u_ASYkwSOJbonOW4\/s16000\/NosyStealer%2520execution%2520chain%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")