cover of episode Cuckoo Spear [B-Side]

Cuckoo Spear [B-Side]

2024/11/20
logo of podcast Malicious Life

Malicious Life
AI Deep Dive AI Chapters Transcript
People
J
Jin Ito
L
Loic Castel
R
Ran Levy
Topics
Ran Levy介绍了Cuckoo Spear行动,这是一个针对日本企业的网络攻击,攻击者是中国国家级APT组织APT10。APT10使用名为LODEINFO和NOOPDOOR的恶意软件,并利用各种技术,包括鱼叉式网络钓鱼和VPN漏洞,入侵目标网络。Jin Ito和Loic Castel详细分析了NOOPDOOR恶意软件的持久化机制、DGA和攻击流程,并指出APT10拥有大量资源,其工具开发和行动非常复杂且谨慎。Loic Castel还强调,APT10的攻击范围更广,而Cuckoo Spear行动则专注于针对日本。 Jin Ito作为事件响应工程师,深入分析了NOOPDOOR恶意软件的技术细节,包括其持久化机制、DGA和与LODEINFO的关系。他指出,NOOPDOOR是LODEINFO的改进版本,其持久化机制非常复杂,使用shellcode、计划任务、MSBuild、WMI和服务DLL等多种技术。他还介绍了攻击者如何利用DGA躲避检测,以及如何根据每台系统的唯一信息加密服务DLL。此外,他还分享了在先前组织中处理类似攻击的经验。 Loic Castel介绍了Cybereason是如何发现并介入调查Cuckoo Spear行动的,并强调了调查APT10这类国家级攻击者的挑战和兴奋之处。他详细解释了攻击者的入侵方式,包括鱼叉式网络钓鱼和利用VPN设备漏洞。他还描述了攻击的典型流程,包括建立内部C2服务器以控制未连接到互联网的机器。此外,他还分析了攻击者使用的工具,指出他们主要使用Windows自带工具,而不是Mimikatz等常用黑客工具。最后,他补充说明了APT10的攻击范围和Cuckoo Spear行动的目标。

Deep Dive

Chapters
The episode introduces APT-10, a Chinese nation-state threat actor known for using sophisticated malware like LODEINFO and NOOPDOOR to target Japanese IT and infrastructure organizations.
  • APT-10 has been active since at least 2006.
  • They use backdoor malware like LODEINFO and NOOPDOOR.
  • NOOPDOOR incorporates sophisticated persistence mechanisms.

Shownotes Transcript

APT-10 is a Chinese nation-state threat actor that in recent years has been targeting Japanese IT & Instrastructure organizations using a sophisticated backdoor malware known as LODEINFO. Recently, Jin Ito & Loic Castel, researchers from Cybereason's IR Team, uncovered a new tool used by the group: NOOPDOOR, which incorporates highly sophisticated persistence mechanisms, allowing APT-10 to evade detection and remain inside enterprise networks for two or even three years. Our Sponsors:* Check out 1Password and use my code MALICIOUS for a great deal: 1password.comAdvertising Inquiries: https://redcircle.com/brands)