info@thehackernews.com (The Hacker News)
2024-11-27 06:14:00
thehackernews.com
The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.
That’s according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.
“In this attack, an email purporting to be from a prospective employee was sent to the organization’s recruiting contact, infecting the contact with malware,” the agency said.
APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that’s known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace.
The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file, which, when downloaded and mounted, includes a decoy document and a Windows shortcut (“Self-Introduction.lnk”).
The LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.
This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in turn, uses StatCounter, a legitimate web analytics tool, to transmit a string that can uniquely identify a victim device using the HTTP referer field. The string value is derived from the computer name, home directory, and the user name and encoded.
The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as “Service.dat,” which downloads two more artifacts from a different Bitbucket repository – “cbmp.txt” and “icon.txt” – which are saved as “cn.dat” and “sp.dat,” respectively.
“Service.dat” also persists “cn.dat” on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
The backdoor, for its part, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.
It’s worth noting that cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups within the DarkHotel cluster.
“Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims’ devices,” Positive Technologies said. “One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system’s protective mechanisms.”
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.