The risk actor often called APT-C-60 has been linked to a cyber assault concentrating on an unnamed group in Japan that used a job application-themed lure to ship the SpyGlace backdoor.
That is based on findings from JPCERT/CC, which stated the intrusion leveraged professional providers like Google Drive, Bitbucket, and StatCounter. The assault was carried out round August 2024.
“On this assault, an e-mail purporting to be from a potential worker was despatched to the group’s recruiting contact, infecting the contact with malware,” the company stated.
APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that is identified to focus on East Asian international locations. In August 2024, it was noticed exploiting a distant code execution vulnerability in WPS Workplace for Home windows (CVE-2024-7262) to drop a customized backdoor known as SpyGlace.
The assault chain found by JPCERT/CC includes the usage of a phishing e-mail that accommodates a hyperlink to a file hosted on Google Drive, a digital onerous disk drive (VHDX) file, which, when downloaded and mounted, features a decoy doc and a Home windows shortcut (“Self-Introduction.lnk”).
The LNK file is liable for triggering the next steps within the an infection chain, whereas additionally displaying the lure doc as a distraction.
This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in flip, makes use of StatCounter, a professional net analytics software, to transmit a string that may uniquely establish a sufferer gadget utilizing the HTTP referer discipline. The string worth is derived from the pc identify, residence listing, and the consumer identify and encoded.
The downloader then accesses Bitbucket utilizing the encoded distinctive string with the intention to retrieve the subsequent stage, a file often called “Service.dat,” which downloads two extra artifacts from a distinct Bitbucket repository – “cbmp.txt” and “icon.txt” – that are saved as “cn.dat” and “sp.dat,” respectively.
“Service.dat” additionally persists “cn.dat” on the compromised host utilizing a way known as COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
The backdoor, for its half, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits additional directions that permit it to steal information, load extra plugins, and execute instructions.
It is value noting that cybersecurity corporations Chuangyu 404 Lab and Constructive Applied sciences have independently reported on similar campaigns delivering the SpyGlace malware, alongside highlighting proof pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups throughout the DarkHotel cluster.
“Teams from the Asia area proceed to make use of non-standard methods to ship their malware to victims’ gadgets,” Constructive Applied sciences stated. “Considered one of these methods is the usage of digital disks in VHD/VHDX format to bypass the working system’s protecting mechanisms.”
