Threat Research

CUCKOO SPEAR Part 2: Arsenal of Threat Actors

Cybereason

This report analyzes the NOOPLDR and NOOPDOOR toolset, detailing how loaders (DLL and C#) retrieve encrypted shellcode from the registry or .dat files, decrypt it using machine-specific keys, and execute it via process injection or in-process syscalls to evade hooks. It also describes NOOPDOOR’s C2 features (DGA, custom TCP protocol, API hashing, anti-debugging) and persistence via service DLL side-loading and msbuild-based C# execution. #NOOPLDR #NOOPDOOR

Keypoints

  • NOOPLDR-DLL variants achieve persistence by modifying legitimate DLLs and exporting a randomly-named ServiceMain to be loaded by svchost.exe (DLL side-loading).
  • Strings and code are obfuscated (control flow flattening, XOR) and shellcode is stored encrypted in registry keys or .dat files to avoid disk artifacts.
  • Shellcode decryption uses AES-CBC with an IV derived from the MachineId and a key derived via WinAPI Crypto functions (SHA1/SHA384-based derivation of AES keys).
  • Code execution/injection uses WinAPI patterns or native APIs with dynamically resolved syscalls (e.g., NtCreateThreadEx) to bypass user-mode hooks.
  • NOOPLDR-C# leverages msbuild.exe to compile and run heavily obfuscated C# from XML, which computes machine-specific hashes, validates integrity, decrypts shellcode, writes to registry, and injects payloads.
  • NOOPDOOR payloads implement API hashing/overwriting, anti-debugging process checks, a DGA for C2 domains, a custom TCP protocol for exfiltration, and optional internal C2 server capabilities.
  • Defensive recommendations include hunting for msbuild.exe with XML, unsigned DLLs loaded by svchost.exe, and DGA-like DNS behavior; IOCs and hashes for NOOPLDR/NOOPDOOR are provided.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used for initial access. [‘Used for initial access through exploitation.’]
  • [T1566] Phishing – Used to gain initial access. [‘Utilized to gain initial access to systems.’]
  • [T1053.005] Scheduled Task – Implemented for execution persistence. [‘Implemented for execution persistence.’]
  • [T1569.002] Service Execution – Used to execute malicious services. [‘Used to execute malicious services.’]
  • [T1047] Windows Management Instrumentation – Exploited for executing commands and scripts. [‘Exploited for executing commands and scripts.’]
  • [T1543.003] Windows Service – Created to maintain persistence. [‘Created to maintain persistence.’]
  • [T1574.002] DLL Side-Loading – Utilized to load malicious code via legitimate DLLs. [‘Utilized to load malicious code via legitimate DLLs.’]
  • [T1055] Process Injection – Employed to inject shellcode into other processes. [‘Employed to inject shellcode into other processes.’]
  • [T1070.001] Clear Windows Event Logs – Used to evade detection by clearing logs. [‘Used to evade detection by clearing logs.’]
  • [T1070.004] File Deletion – Employed to remove traces of malicious files. [‘Employed to remove traces of malicious files.’]
  • [T1070.006] Timestomp – Used to manipulate file timestamps. [‘Used to manipulate file timestamps.’]
  • [T1112] Modify Registry – Manipulated registry keys for persistence and storing encrypted shellcode. [‘Manipulated registry keys for persistence.’]
  • [T1127.001] MsBuild – Exploited for executing malicious scripts via msbuild.exe and XML/.csproj. [‘Exploited for executing malicious scripts.’]
  • [T1140] Deobfuscate/Decode Files or Information – Used to decode obfuscated code and strings. [‘Used to decode obfuscated code.’]
  • [T1622] Debugger Evasion – Implemented to avoid detection by debuggers and anti-analysis checks. [‘Implemented to avoid detection by debuggers.’]
  • [T1071] Application Layer Protocol – Used for command and control communications over custom TCP. [‘Used for command and control communications.’]
  • [T1568.002] Domain Generation Algorithms – Utilized to generate C2 domain names. [‘Utilized to generate C2 domain names.’]
  • [T1573] Encrypted Channel – Used for secure communications with C2 servers. [‘Used for secure communications with C2 servers.’]
  • [T1546.003] Windows Management Instrumentation Event Subscription – Used as a persistence mechanism (WMI consumer events). [‘Used as a persistence mechanism via WMI consumer events.’]
  • [T1562.004] Disable or Modify System Firewall – Used to add firewall rules (e.g., via COM or netsh) to enable C2. [‘Used to add or modify firewall rules to enable C2.’]

Indicators of Compromise

  • [Domains] NOOPDOOR C2 examples – ocouomors[.]com, 3utilities[.]com, and other 10 domains listed
  • [File Hashes] NOOPLDR / NOOPLDR-C# examples – ea474e87f23ce6575057e76108665ffb (NOOPLDR-DLL), fe36fd0f09aadd3e7ddd7b66f18d5e93 (NOOPLDR-C#), and several more hashes
  • [Registry Keys] Shellcode storage and config – HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerUser Preferences, HKEY_LOCAL_MACHINESoftwareLicense, and multiple HKCU paths
  • [Ports] Internal C2 listener ports observed – 5984, 47000, 8532
  • [File / Process Names] Loader files and execution artifacts – msbuild.exe invoked with .xml (NOOPLDR-C#), modified DLLs in C:WindowsSystem32 loaded by svchost.exe

NOOPLDR-DLL variants achieve persistence by altering legitimate DLLs: analysts observed unsigned DLLs placed under C:WindowsSystem32 with a modified section exported under a randomly generated function name and invoked as the service’s ServiceMain inside svchost.exe – this enables DLL side-loading as the primary service persistence pathway. The loader’s binary is heavily obfuscated (control flow flattening) and stores service strings XOR-encoded in .rdata; scripts that decode those strings reveal service registration commands (sc start/sc sdset) and registry paths used to host encrypted payloads.

Decryption and execution are machine-tied: NOOPLDR reads encrypted shellcode from specified registry keys or a provided .dat file, derives AES keys using WinAPI crypto functions (hashing MachineId + NULL + hardcoded bytes to create a SHA1/SHA384-based key), and uses AES-CBC with an IV derived from the first 16 bytes of MachineId to decrypt. After integrity verification (embedded SHA256), the loader either allocates and executes shellcode in-process via NtProtectVirtualMemory or injects into a spawned child process using CreateProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread patterns; many operations call native APIs via dynamically resolved syscalls (SSN resolved per-Windows version) to bypass user-mode hooks.

NOOPLDR-C# implements the same core flow embedded in an MSBuild XML: msbuild.exe compiles and runs obfuscated C# which computes a machine-specific SHA256/SHA384 (MachineName + salt + MachineId), locates or stores encrypted shellcode (writing to registry if loaded from disk), performs integrity checks, decrypts with AES, and injects the payload. The injected NOOPDOOR shellcode provides client/server C2 capabilities: API name hashing and overwrite, anti-debugging (process snapshot checks against lists like x64dbg/ollydbg/Procmon), a DGA that hashes time-modified URL strings to produce rotating domains, a custom TCP protocol for exfiltration, and optional server functionality (listening on ports like 5984 and adding firewall rules via COM or netsh to allow inbound connections).

Read more: https://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint