“The threat actors leveraged many novel evasion techniques, such as overwriting ntdll.dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads,” the researchers said.
The attackers used several malware payloads that have been documented before in connection with other cyberespionage attacks. These include Mustang Panda’s custom data exfiltration tool NUPAKAGE, the Merlin C2 Agent, the Cobalt Strike penetration testing beacon, the PhantomNet backdoor, the RUDEBIRD malware, and the PowHeartBeat backdoor.
However, the researchers also identified new malware components that had never been documented before at the time. One of them is a backdoor that Sophos has dubbed CCoreDoor which has commands that allow attackers to discover information about their environment, move laterally through the network, dump credentials and establish communications with an external C2 server.
