“The menace actors leveraged many novel evasion methods, akin to overwriting ntdll.dll in reminiscence to unhook the Sophos AV agent course of from the kernel, abusing AV software program for sideloading, and utilizing varied methods to check probably the most environment friendly and evasive strategies of executing their payloads,” the researchers stated.
The attackers used a number of malware payloads which have been documented earlier than in reference to different cyberespionage assaults. These embody Mustang Panda’s customized knowledge exfiltration instrument NUPAKAGE, the Merlin C2 Agent, the Cobalt Strike penetration testing beacon, the PhantomNet backdoor, the RUDEBIRD malware, and the PowHeartBeat backdoor.
Nonetheless, the researchers additionally recognized new malware elements that had by no means been documented earlier than on the time. One in all them is a backdoor that Sophos has dubbed CCoreDoor which has instructions that permit attackers to find details about their atmosphere, transfer laterally by way of the community, dump credentials and set up communications with an exterior C2 server.
