New Malware Campaign Targets Japanese Organizations: A Deep Dive into the Cuckoo Spear Campaign
Recent intelligence from Israeli cybersecurity firm Cybereason has unveiled a sophisticated malware campaign that poses significant threats to organizations in Japan. This operation is led by a nation-state actor from China, which has been leveraging advanced malware families, namely LODEINFO and NOOPDOOR, to infiltrate networks and extract sensitive data. Remarkably, these intrusions can go undetected for periods of two to three years, illustrating the stealth capabilities of these malicious actors.
Cybereason has dubbed this ongoing campaign "Cuckoo Spear," linking it to an established group known as APT10, frequently referred to by alternative names such as Bronze Riverside and Cloudhopper. This group has a notorious reputation and has been operational since at least 2006, employing various techniques to compromise networks, steal data, and further its geopolitical objectives.
The research highlights that while LODEINFO serves as the primary backdoor for these operations, the newly deployed NOOPDOOR is also instrumental in data exfiltration from compromised enterprise environments. This revelation arises shortly after the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) reported a rising trend of cyberattacks against Japanese entities utilizing these specific malware strains.
Earlier this year, ITOCHU Cyber & Intelligence disclosed the discovery of an upgraded version of the LODEINFO malware, which had been enhanced with anti-analysis capabilities. This version is primarily propagated via spear-phishing emails, underscoring the group’s reliance on social engineering tactics to facilitate initial access to targeted networks.
Trend Micro, another prominent cybersecurity firm, has classified APT10 as encompassing multiple operational clusters, designating them Earth Tengshe and Earth Kasha. Each cluster exhibits distinct patterns, with Earth Kasha primarily using LODEINFO and NOOPDOOR in their attacks. Both sub-groups have shown a preference for public-facing applications, strategically aiming to exfiltrate valuable data while remaining under the radar.
The Earth Kasha cluster has notably evolved its tactics since April 2023, focusing on exploiting unpatched vulnerabilities in widely used applications. Vulnerabilities such as CVE-2023-28461 in Array AG, CVE-2023-27997 in Fortinet, and CVE-2023-45727 in Proself have been targeted, further enabling the delivery of LODEINFO and associated malware.
LODEINFO is particularly versatile, equipped with capabilities to execute arbitrary shellcode, log keystrokes, take screenshots, and exfiltrate files back to operators. On the other hand, NOOPDOOR, which exhibits similarities to another APT10 backdoor—ANEL Loader—provides functionality for file transfers and executing malicious code on compromised machines.
Cybersecurity experts from Cybereason noted that LODEINFO functions as the primary backdoor while NOOPDOOR maintains persistence within the infected corporate environments. This is achieved through the exploitation of scheduled tasks, allowing threat actors to establish a long-term foothold within the targeted networks.
In terms of the MITRE ATT&CK framework, this campaign exemplifies several adversary tactics, including initial access through social engineering (TA0001), persistence via scheduled tasks (T1053), and the use of credential access techniques (TA0006) through keystroke logging. The ongoing threat emphasizes the need for organizations to remain vigilant in their cybersecurity posture, employing robust defensive strategies to counter such sophisticated attacks.
Business owners and IT professionals must prioritize awareness and detection strategies, ensuring systems are regularly updated and staff are trained to recognize potential phishing attempts. The landscape of cybersecurity threats continues to evolve, and proactive measures are essential to mitigate risks associated with advanced persistent threats like those posed by APT10.
