The menace actor often called APT-C-60 has been linked to a cyber assault focusing on an unnamed group in Japan that used a job application-themed lure to ship the SpyGlace backdoor.
That is in accordance with findings from JPCERT/CC, which mentioned the intrusion leveraged reputable companies like Google Drive, Bitbucket, and StatCounter. The assault was carried out round August 2024.
“On this assault, an e mail purporting to be from a potential worker was despatched to the group’s recruiting contact, infecting the contact with malware,” the company mentioned.
APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that is recognized to focus on East Asian international locations. In August 2024, it was noticed exploiting a distant code execution vulnerability in WPS Workplace for Home windows (CVE-2024-7262) to drop a customized backdoor referred to as SpyGlace.
The assault chain found by JPCERT/CC entails the usage of a phishing e mail that accommodates a hyperlink to a file hosted on Google Drive, a digital arduous disk drive (VHDX) file, which, when downloaded and mounted, features a decoy doc and a Home windows shortcut (“Self-Introduction.lnk”).
The LNK file is chargeable for triggering the next steps within the an infection chain, whereas additionally displaying the lure doc as a distraction.
This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in flip, makes use of StatCounter, a reputable net analytics instrument, to transmit a string that may uniquely establish a sufferer machine utilizing the HTTP referer discipline. The string worth is derived from the pc identify, dwelling listing, and the consumer identify and encoded.
The downloader then accesses Bitbucket utilizing the encoded distinctive string as a way to retrieve the following stage, a file often called “Service.dat,” which downloads two extra artifacts from a special Bitbucket repository – “cbmp.txt” and “icon.txt” – that are saved as “cn.dat” and “sp.dat,” respectively.
“Service.dat” additionally persists “cn.dat” on the compromised host utilizing a way referred to as COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
The backdoor, for its half, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits additional directions that permit it to steal information, load further plugins, and execute instructions.
It is value noting that cybersecurity companies Chuangyu 404 Lab and Optimistic Applied sciences have independently reported on similar campaigns delivering the SpyGlace malware, alongside highlighting proof pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups throughout the DarkHotel cluster.
“Teams from the Asia area proceed to make use of non-standard strategies to ship their malware to victims’ gadgets,” Optimistic Applied sciences mentioned. “One in every of these strategies is the usage of digital disks in VHD/VHDX format to bypass the working system’s protecting mechanisms.”