The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.
That’s according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.
“In this attack, an email purporting to be from a prospective employee was sent to the organization’s recruiting contact, infecting the contact with malware,” the agency said.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that’s known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace.
The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file, which, when downloaded and mounted, includes a decoy document and a Windows shortcut (“Self-Introduction.lnk”).
The LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.
This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in turn, uses StatCounter, a legitimate web analytics tool, to transmit a string that can uniquely identify a victim device using the HTTP referer field. The string value is derived from the computer name, home directory, and the user name and encoded.
The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as “Service.dat,” which downloads two more artifacts from a different Bitbucket repository – “cbmp.txt” and “icon.txt” – which are saved as “cn.dat” and “sp.dat,” respectively.
“Service.dat” also persists “cn.dat” on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
The backdoor, for its part, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.
It’s worth noting that cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups within the DarkHotel cluster.
“Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims’ devices,” Positive Technologies said. “One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system’s protective mechanisms.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
INTERPOL Busts African Cybercrime: 1,006 Arrests, 134,089 Malicious Networks Dismantled