“Threat actors have used many novel evasion techniques, such as overwriting ntdll.dll in memory to remove the Sophos AV agent process from the kernel, exploiting AV software to sideload, and using various techniques to explore efficient and evasive exploits,” said the researchers.
The attackers used several malware payloads that have been previously documented in connection with other cyberespionage attacks. These include the Mustang Panda custom data filtering tool NUPAKAGE, the Merlin C2 Agent, the Cobalt Strike intrusion detection beacon, the PhantomNet backdoor, the RUDEBIRD malware, and the PowHeartBeat backdoor.
However, the researchers also identified new components of the malware that had not been documented before at the time. One of them is a backdoor that Sophos named CCoreDoor with commands that allow attackers to get information about their location, bypass the network, dump information and establish a connection with an external C2 server.
Source link