A Chinese nation-state threat actor [1] [2] [3] [4] [6], known as APT10 or Bronze Riverside [4], has been conducting persistent cyber espionage operations within victim networks for two to three years under the campaign name Cuckoo Spear.

Description

This threat actor has been targeting Japanese organizations using malware families like LODEINFO and NOOPDOOR to steal sensitive information [2] [4]. Recent investigations have linked LODEINFO to the new NOOPDOOR malware [7], collectively termed “Cuckoo Spear,” indicating espionage as the primary motive [5] [7]. NOOPDOOR [1] [2] [3] [4] [5] [6] [7], a sophisticated 64-bit modular backdoor [5] [7], is loaded by the NOOPLDR decryptor in multi-stage attacks [5] [7], providing long-term covert operations within compromised networks [7]. The threat actor has been observed targeting public-facing applications and exploiting vulnerabilities in Array AG [4], Fortinet [2] [3] [4] [6], and Proself to distribute malware [3] [4] [6]. Threat actors establish persistence through Scheduled Tasks and WMI Consumer Events [7], utilizing system tools for malicious purposes [5] [7]. Trend Micro has identified APT10 as an umbrella group comprising two clusters [4], Earth Tengshe and Earth Kasha [3] [4] [6], with each cluster using different malware strains and tactics [4]. Cybereason [1] [2] [3] [4] [6], JPCERT/CC [2] [3] [4] [6], and ITOCHU Cyber & Intelligence have all reported on the activities of this threat actor [4], highlighting the ongoing cyber attacks targeting Japanese entities [4]. APT10 has functionalities to execute shellcode [3], log keystrokes [3] [6], take screenshots [3], terminate processes [3], and exfiltrate files [3] [6]. NOOPDOOR shares similarities with ANEL Loader and can upload/download files [3], execute shellcode [3] [6], and run programs [3]. The Cuckoo Spear campaign [1], uncovered by Cybereason [1], emphasizes the growing threat posed by nation-state actors and their relentless pursuit of valuable data [1]. This targeted cyber espionage campaign represents a significant threat to Japanese organizations [1], emphasizing the importance of proactive security measures and collaboration within the cybersecurity community [1]. Organizations must remain vigilant and proactive in defending against cyber threats to safeguard sensitive information and protect networks from malicious intrusions [1].

Conclusion

The ongoing cyber attacks by APT10 targeting Japanese organizations highlight the need for enhanced cybersecurity measures and collaboration within the cybersecurity community. Proactive security measures are essential to defend against cyber threats and safeguard sensitive information. The relentless pursuit of valuable data by nation-state actors underscores the importance of staying vigilant and prepared to mitigate future cyber threats.

References

[1] https://www.krofeksecurity.com/cybersecurity-alert-chinese-hackers-strike-japanese-companies-with-lodeinfo-and-noopdoor-malware/
[2] https://cyber.vumetric.com/security-news/2024/07/31/chinese-hackers-target-japanese-firms-with-lodeinfo-and-noopdoor-malware/
[3] https://patabook.com/technology/2024/07/31/chinese-hackers-target-japanese-firms-with-lodeinfo-and-noopdoor-malware/
[4] https://thehackernews.com/2024/07/chinese-hackers-target-japanese-firms.html
[5] https://www.digitalvocano.com/cybersecurity/cuckoo-spear-attacking-windows-users-with-highly-sophisticated-malware
[6] https://vulners.com/thn/THN:43E35C03016BD4E4DC5958BBB7ACD731
[7] https://cybersecuritynews.com/cuckoo-spear-windows-malware-attack/