The Japan Pc Emergency Response Crew Coordination Middle (JPCERT/CC) has confirmed a sophisticated cyber assault towards organizations in Japan, believed to have been carried out by the cyber espionage group APT-C-60.
The attackers used phishing methods, masquerading as a job applicant to infiltrate the sufferer’s system and deploy superior malware.
Particulars of the Assault: Preliminary Penetration through Phishing
The assault started with a focused phishing e-mail despatched to the recruitment contact level of the focused group.
The e-mail contained a Google Drive hyperlink that, when accessed, led to the obtain of a malicious VHDX file (a digital arduous disk format).
Upon mounting the VHDX file, it revealed a number of elements, together with decoy paperwork and an LNK file titled “Self-Introduction.lnk.”
This shortcut file leveraged the reputable executable file git.exe to execute a script (IPML.txt).
The IPML.txt script carried out a number of actions, resembling:
- Opening a decoy doc to keep away from elevating suspicion.
- Making a downloader file named SecureBootUEFI.dat.
- Establishing persistence by means of COM hijacking (modifying the COM interface ID F82B4EF1-93A9-4DDE-8015-F7950A1A6E31).
This downloader subsequently communicated with the reputable cloud companies Bitbucket and StatCounter, highlighting the attackers’ technique of abusing trusted platforms.
Downloader Evaluation
The downloader (SecureBootUEFI.dat) showcased the next conduct:
- Machine Identification: The malware first linked to StatCounter to transmit distinctive system data, together with the pc identify, person identify, and residential listing. The attackers encoded this data utilizing an XOR cipher and included it within the StatCounter referrer URL.
- Fetching Secondary Payload: SecureBootUEFI.dat then contacted Bitbucket to obtain a malicious file, Service.dat, utilizing the encoded system identifier to find the payload. This file was saved and executed within the Home windows Shell listing.
The Service.dat downloader continued the an infection chain by retrieving two extra payloads (cbmp.txt and icon.txt) from one other Bitbucket repository.
These information had been decoded and saved as cn.dat and sp.dat, then deployed utilizing additional COM hijacking methods.
The ultimate payload, a backdoor malware often known as SpyGrace (model 3.1.6), was deployed to offer attackers continued entry to the compromised system.
The malware demonstrates a number of refined ways, together with checking community connectivity, executing malicious information inside particular system directories, and using superior programming methods, resembling utilizing the initterm perform, to evade detection instruments successfully.
Connections to Earlier Campaigns
This assault shares similarities with campaigns noticed from August to September 2024, focusing on organizations throughout Japan, South Korea, and China.
Experiences from safety distributors recognized a sample of abuse of reputable companies like Bitbucket and StatCounter, in addition to persistence by means of COM hijacking.
Decoy paperwork discovered within the recycle bin of the VHDX file point out the attackers tailor-made their phishing emails for these areas.
SOC and DFIR groups can accumulate the indications of compromise on the backside of the detailed technical report.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Attempt for Free