Fast Facts
-
Emerging Cyber Threat: A new Chinese-backed APT group, dubbed LongNosedGoblin, is targeting governments in Japan and Southeast Asia since 2023, primarily through cyber-espionage activities.
-
Innovative Malware Techniques: The group uses custom C#/.NET applications for operations, notably exploiting Group Policy in Active Directory for malware deployment and lateral movement within networks.
-
Sophisticated Tooling: LongNosedGoblin employs unique malware, including NosyHistorian for reconnaissance and NosyDoor for backdoor access via cloud services like Microsoft OneDrive.
-
Distinct Identity: Though sharing characteristics with past APT groups, LongNosedGoblin displays unique tactics and tools, specifically the novel abuse of Group Policy for malicious purposes.
LongNosedGoblin’s Cyber-Espionage Campaign
A new advanced persistent threat (APT) group, labeled LongNosedGoblin, has been engaged in cyber-espionage against governments in Southeast Asia, particularly Japan, since at least 2023. Researchers at ESET have tracked this group as they deploy unique C#/.NET applications to infiltrate networks. Most alarmingly, they utilize Group Policy as a malware dropper, which allows them to navigate through targeted systems efficiently. This tactic signifies a significant breach as it suggests access to crucial Domain Controller and administrator credentials.
While LongNosedGoblin has targeted less than a dozen victims so far, experts classify their operations as moderately sophisticated. This classification stems from their bespoke malware tools, including NosyHistorian, which examines browser histories for potential targets. If considered valuable, it installs a backdoor known as NosyDoor. Notably, NosyDoor connects via Microsoft OneDrive for command-and-control functions, demonstrating the innovative methods employed by the group.
Unveiling a Diverse Malware Arsenal
Further investigation into LongNosedGoblin’s activities revealed additional malicious software components. ESET found tools like NosyStealer, which extracts browser data, and NosyDownloader, which executes payloads directly in memory. They even discovered a keylogger, NosyLogger, and other sophisticated tools used for capturing audio and video. This reveals a comprehensive strategy, illustrating the group’s adaptability and resourcefulness.
ESET’s ongoing analysis has shown that LongNosedGoblin has consistently leveraged NosyDownloader across Southeast Asia throughout 2024. By December, they attempted new attacks against the Japanese government, suggesting evolving tactics. While similarities exist between LongNosedGoblin and earlier groups like ToddyCat and Erudite Mogwai, researchers emphasize that the differences in their techniques and toolsets highlight that LongNosedGoblin is indeed a distinct entity. The focus on Group Policy for malware deployment particularly sets them apart, raising concerns about the cybersecurity landscape in the region.
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
