Balaji
2024-12-11 09:19:00
gbhackers.com
The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack against organizations in Japan, believed to have been conducted by the cyber espionage group APT-C-60.
The attackers used phishing techniques, masquerading as a job applicant to infiltrate the victim’s system and deploy advanced malware.
Details of the Attack: Initial Penetration via Phishing
The attack began with a targeted phishing email sent to the recruitment contact point of the targeted organization.
The email contained a Google Drive link that, when accessed, led to the download of a malicious VHDX file (a virtual hard disk format).
Upon mounting the VHDX file, it revealed several components, including decoy documents and an LNK file titled “Self-Introduction.lnk.”
This shortcut file leveraged the legitimate executable file git.exe
to execute a script (IPML.txt).
The IPML.txt script performed multiple actions, such as:
- Opening a decoy document to avoid raising suspicion.
- Creating a downloader file named SecureBootUEFI.dat.
- Establishing persistence through COM hijacking (modifying the COM interface ID F82B4EF1-93A9-4DDE-8015-F7950A1A6E31).
This downloader subsequently communicated with the legitimate cloud services Bitbucket and StatCounter, highlighting the attackers’ strategy of abusing trusted platforms.
Downloader Analysis
The downloader (SecureBootUEFI.dat) showcased the following behavior:
- Device Identification: The malware first connected to StatCounter to transmit unique device information, including the computer name, user name, and home directory. The attackers encoded this information using an XOR cipher and included it in the StatCounter referrer URL.
- Fetching Secondary Payload: SecureBootUEFI.dat then contacted Bitbucket to download a malicious file, Service.dat, using the encoded device identifier to locate the payload. This file was saved and executed in the Windows Shell directory.
The Service.dat downloader continued the infection chain by retrieving two additional payloads (cbmp.txt and icon.txt) from another Bitbucket repository.
These files were decoded and saved as cn.dat and sp.dat, then deployed using further COM hijacking techniques.
The final payload, a backdoor malware known as SpyGrace (version 3.1.6), was deployed to give attackers continued access to the compromised system.
The malware demonstrates several sophisticated tactics, including checking network connectivity, executing malicious files within specific system directories, and employing advanced programming techniques, such as using the initterm function, to evade detection tools effectively.
Connections to Previous Campaigns
This attack shares similarities with campaigns observed from August to September 2024, targeting organizations across Japan, South Korea, and China.
Reports from security vendors identified a pattern of abuse of legitimate services like Bitbucket and StatCounter, as well as persistence through COM hijacking.
Decoy documents found in the recycle bin of the VHDX file indicate the attackers tailored their phishing emails for these regions.
SOC and DFIR teams can collect the indicators of compromise at the bottom of the detailed technical report.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.