APT-C-60 launched a phishing assault in August 2024, concentrating on home organizations with malicious emails disguised as job functions.
These emails, despatched to recruitment departments, contained malware designed to compromise methods and doubtlessly steal delicate information.
The assault leverages a focused phishing e-mail to distribute a malicious VHDX file hosted on Google Drive.
As soon as mounted, the VHDX file releases an LNK file, which doubtless executes malicious code upon interplay, compromising the sufferer’s system.
The LNK file triggers a malicious script that executes the legit git.exe to launch a downloader named SecureBootUEFI.dat, which persists on the system by hijacking a COM interface and registers itself to be executed routinely.
Analyze cyber threats with ANYRUN's highly effective sandbox. Black Friday Offers : Rise up to three Free Licenses.
SecureBootUEFI.dat malware initially contacts StatCounter to establish contaminated gadgets based mostly on distinctive machine info.
Subsequently, it downloads a malicious payload from Bitbucket, exploiting a novel URL path derived from device-specific information, and executes it domestically.
The Service.dat malware downloads and decodes two recordsdata from a special Bitbucket repository, that are then continued to the person’s font listing utilizing Base64 and XOR encryption, and subsequently via COM interface hijacking.
A backdoor named SpyGrace v3.1.6 confirms its existence via model info and matching parts like command sort and encryption keys with beforehand reported v3.0.
Backdoor initialization begins by loading configuration information, establishing a mutex (905QD4656:H) to forestall duplicate cases, and verifying community connectivity with api.ipfy.org.
Lastly, it locates and executes particular file varieties (.exe, .dat, .db, and .ext) inside the person’s roaming profile listing (%appdatapercentMicrosoftVaultUserProfileRoaming).
By way of its execution previous to the DllMain operate, the initterm operate of the CRT pre-processed the initialization part, thereby having an impact on the preliminary state of the DLL.
In line with JPCERT, current malware campaigns, leveraging companies like Bitbucket and StatCounter, have employed COM hijacking for persistence, which, just like these concentrating on East Asian nations, suggests a broader risk panorama involving subtle strategies and potential espionage motives.
The assault, concentrating on East Asia, leverages legit companies like Bitbucket and StatCounter to ship malicious payloads because the assault’s ways and strategies, together with the used samples and command-and-control infrastructure.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar