Full Report
ESET researchers discovered a China-aligned APT group, LongNosedGoblin, which uses Group Policy to deploy cyberespionage tools across networks of governmental institutions
Analysis Summary
# Threat Actor: LongNosedGoblin
## Attribution & Identity
**Identification:** LongNosedGoblin is a newly discovered China-aligned Advanced Persistent Threat (APT) group.
**Known Aliases:** None provided in the context, but referred to by the ESET research codename.
**Associated Groups:** The tool NosyDoor is mentioned as "most likely being shared by multiple China-aligned threat actors."
## Activity Summary
LongNosedGoblin targets governmental entities with the goal of cyberespionage. The group has been active since at least September 2023, with primary discovery occurring between January and March 2024 after ESET researchers noticed undocumented malware on a Southeast Asian governmental entity's network. Campaigns involve the lateral deployment of espionage tools across multiple machines within targeted entities.
## Tactics, Techniques & Procedures
The group heavily relies on established Windows management features coupled with custom C#/.NET malware:
- **Lateral Movement/Deployment:** Abuses **Group Policy** to deploy malware across compromised networks.
- **Execution Evasion:** Several tools employ techniques to bypass the **Antimalware Scan Interface (AMSI)**.
- **Injection:** The NosyDoor backdoor utilizes **AppDomainManager injection** (MITRE ATT&CK ID: T1574/014).
- **Discovery:**
- Collecting browser history (Chrome, Edge, Firefox) using **NosyHistorian** to inform subsequent deployment decisions (MITRE ATT&CK ID: T1217 Browser Information Discovery).
- File and Directory Discovery (MITRE ATT&CK ID: T1083).
- System Information Discovery (MITRE ATT&CK ID: T1082).
- **Collection:**
- Keystroke logging using **NosyLogger** (MITRE ATT&CK ID: T1056.001).
- Video/Audio Capture, potentially using FFmpeg (MITRE ATT&CK ID: T1125).
- Data is staged locally, with log data encrypted using AES (MITRE ATT&CK ID: T1560 & T1074.001).
- **Command and Control (C&C) / Transfer:**
- Uses legitimate cloud services for C&C, including **Microsoft OneDrive** and **Google Drive/Docs** (MITRE ATT&CK ID: T1102.002).
- Encrypts C&C command outputs using AES and metadata using RSA (MITRE ATT&CK IDs: T1573.001, T1573.002).
- Ingress Tool Transfer capabilities (MITRE ATT&CK ID: T1105).
## Targeting
- **Sectors:** Governmental institutions.
- **Geography:** Southeast Asia and Japan.
- **Victims:** Specific entities are not named, but confirmed to include a governmental entity in Southeast Asia.
## Tools & Infrastructure
- **Malware Families/Tools:**
- **NosyDoor:** Backdoor utilizing AppDomainManager injection and OneDrive for C&C.
- **NosyHistorian:** C#/.NET application for gathering browser history.
- **NosyStealer:** Steals browser data and exfiltrates to Google Drive.
- **NosyDownloader:** Downloads and runs payloads in memory over HTTP.
- **NosyLogger:** Keylogger that stages encrypted data.
- Additional tools include a reverse SOCKS5 proxy and an argument runner.
- **Infrastructure (C&C):**
- Microsoft OneDrive
- Google Drive
- Google Docs
- Command traffic appears to use Application Layer Protocols like Web Protocols (MITRE ATT&CK ID: T1071.001).
## Implications
LongNosedGoblin represents a focused cyberespionage threat clearly targeting sensitive governmental infrastructure in the Asia-Pacific region. Their reliance on **Group Policy** signifies a high level of access and understanding of standard enterprise administrative functions (Active Directory environments) for rapid, widespread deployment. The use of legitimate cloud services (OneDrive, Google Drive) as C&C infrastructure increases the difficulty of detection and identification.
## Mitigations
- **Monitor Group Policy Objects (GPOs):** Implement strict auditing and change control for GPOs, especially those affecting software or script execution rights, as this is a primary deployment vector.
- **Cloud Configuration Review:** Review and restrict unauthorized applications leveraging cloud storage services (OneDrive/Google Drive) for bidirectional communication or bulk data transfer to external accounts.
- **AMSI Coverage:** Ensure robust endpoint detection and response (EDR) solutions are fully enforcing AMSI logging and blocking, though the actor attempts to bypass it.
- **Browser Data Security:** Limit non-essential access to browser data, as NosyHistorian specifically targets this information to pivot further attacks.