“The risk actors leveraged many novel evasion methods, equivalent to overwriting ntdll.dll in reminiscence to unhook the Sophos AV agent course of from the kernel, abusing AV software program for sideloading, and utilizing varied methods to check essentially the most environment friendly and evasive strategies of executing their payloads,” the researchers mentioned.
The attackers used a number of malware payloads which were documented earlier than in reference to different cyberespionage assaults. These embody Mustang Panda’s customized information exfiltration software NUPAKAGE, the Merlin C2 Agent, the Cobalt Strike penetration testing beacon, the PhantomNet backdoor, the RUDEBIRD malware, and the PowHeartBeat backdoor.
Nonetheless, the researchers additionally recognized new malware elements that had by no means been documented earlier than on the time. One in every of them is a backdoor that Sophos has dubbed CCoreDoor which has instructions that enable attackers to find details about their surroundings, transfer laterally by way of the community, dump credentials and set up communications with an exterior C2 server.
