Emergence of LongNosedGoblin Threat Cluster
A newly identified cyber threat cluster, known as LongNosedGoblin, has been linked to a series of sophisticated cyber attacks targeting governmental entities across Southeast Asia and Japan. According to a recent report by Slovak cybersecurity firm ESET, the primary objective of these incursions appears to be cyber espionage, with activities traced back to at least September 2023.
Security researchers Anton Cherepanov and Peter Strýček detailed that LongNosedGoblin employs Group Policy to disseminate malware throughout compromised networks, utilizing cloud services such as Microsoft OneDrive and Google Drive for command and control operations.
Group Policy serves as a pivotal mechanism for managing settings and permissions on Windows systems, allowing administrators to define configurations for user groups and client computers, as well as manage server environments.
The attacks are marked by a diverse custom toolset, primarily composed of C#/.NET applications, including:
- NosyHistorian: This tool collects browser history from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
- NosyDoor: A backdoor that utilizes Microsoft OneDrive as a command and control server, enabling it to execute commands for file exfiltration, deletion, and shell command execution.
- NosyStealer: Designed to extract browser data from Google Chrome and Microsoft Edge, this tool sends the information to Google Drive in an encrypted TAR archive.
- NosyDownloader: This utility downloads and executes payloads in memory, including NosyLogger.
- NosyLogger: A modified version of DuckSharp, used for logging keystrokes.
ESET’s investigation first detected LongNosedGoblin’s activities in February 2024, when it identified malware on the systems of a governmental entity in Southeast Asia. The analysis revealed that Group Policy was leveraged to deploy malware across multiple systems within the same organization. However, the precise initial access methods remain unclear.
Further scrutiny indicated that while many victims encountered NosyHistorian between January and March 2024, only a select few were compromised by NosyDoor, suggesting a more targeted approach. Notably, the dropper for the backdoor, utilizing AppDomainManager injection, included “execution guardrails” designed to restrict operations to specific victim machines.
In addition to its primary tools, LongNosedGoblin employs a range of other utilities, including a reverse SOCKS5 proxy and a video recording utility capable of capturing audio and video, along with a Cobalt Strike loader.
ESET noted that the threat actor’s techniques exhibit some similarities to other clusters, such as ToddyCat and Erudite Mogwai; however, definitive connections remain elusive. The resemblance between NosyDoor and the LuckyStrike Agent, particularly the inclusion of the phrase “Paid Version” in the PDB path of LuckyStrike Agent, raises the possibility that this malware could be commercialized or licensed to other malicious actors.
Researchers also identified a variant of NosyDoor targeting an organization in an EU country, employing different tactics, techniques, and procedures (TTPs) while utilizing Yandex Disk as a command and control server. This variant suggests that the malware may be shared among various China-aligned threat groups, indicating a broader network of cyber espionage activities.
