Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

APT-C-60 Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor: A Complex Web of Malware and Cyber Espionage




APT-C-60 has been linked to a complex cyber attack targeting an organization in Japan, leveraging legitimate services to deploy the SpyGlace backdoor. This article delves into the intricacies of this attack, exploring vulnerabilities exploited by APT-C-60 and the tactics used to deploy the SpyGlace backdoor.

  • The cyber attack targeted an organization in Japan using a job application-themed lure to deliver the SpyGlace backdoor.
  • APT-C-60, linked to a South Korea-aligned cyber espionage group, was responsible for the attack.
  • The attack exploited a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262).
  • The attackers used legitimate services such as Google Drive, Bitbucket, and StatCounter to bypass operating system protective mechanisms.
  • The attack demonstrated the sophistication and complexity of modern cyber attacks, highlighting the importance of vigilance in the face of emerging vulnerabilities.



  • The cybersecurity landscape has been abuzz with the revelation of a sophisticated cyber attack that targeted an organization in Japan, leveraging a job application-themed lure to deliver the SpyGlace backdoor. The threat actor behind this attack, known as APT-C-60, is linked to a South Korea-aligned cyber espionage group that has been targeting East Asian countries. In this article, we will delve into the intricacies of this attack, exploring the vulnerabilities exploited by APT-C-60 and the tactics used to deploy the SpyGlace backdoor.

    According to findings from JPCERT/CC, the intrusion began with an email purportedly from a prospective employee, which infected the organization's recruiting contact with malware. This initial step marked the beginning of a complex attack chain that leveraged legitimate services such as Google Drive, Bitbucket, and StatCounter to transmit a unique string that could identify a victim device.

    The LNK file, responsible for triggering the subsequent steps in the infection chain, displayed a lure document as a distraction while launching a downloader/dropper payload named "SecureBootUEFI.dat." This payload used StatCounter to transmit a string that encoded computer name, home directory, and user name, which was then used to access Bitbucket. The next stage of the attack involved downloading two more artifacts from a different Bitbucket repository – "cbmp.txt" and "icon.txt" – which were saved as "cn.dat" and "sp.dat," respectively.

    The SpyGlace backdoor, established contact with a command-and-control server ("103.187.26[.]176") and awaited further instructions that allowed it to steal files, load additional plugins, and execute commands. This backdoor is part of a larger arsenal of malware used by APT-C-60 and APT-Q-12 (aka Pseudo Hunter), which are sub-groups within the DarkHotel cluster.

    Cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 being sub-groups within the DarkHotel cluster. These findings underscore the evolving nature of cyber threats, as groups from the Asia region continue to use non-standard techniques to deliver their malware to victims' devices.

    The exploitation of a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) is particularly noteworthy. This vulnerability was observed exploited by APT-C-60 in August 2024, leading to the deployment of SpyGlace and other custom backdoors. The use of legitimate services such as Google Drive, Bitbucket, and StatCounter to bypass operating system protective mechanisms highlights the creativity and adaptability of cyber attackers.

    The attack chain discovered by JPCERT/CC demonstrates the sophistication and complexity of modern cyber attacks. By leveraging a job application-themed lure, exploiting vulnerabilities in WPS Office, and using legitimate services to transmit malicious payloads, APT-C-60 has demonstrated its ability to evade detection and deploy sophisticated malware.

    In conclusion, the revelation of this attack highlights the ongoing evolution of cyber threats and the importance of vigilance in the face of emerging vulnerabilities. As cybersecurity firms continue to report on identical campaigns delivering malware such as SpyGlace, it is clear that APT-C-60 and its affiliates remain a significant threat to organizations worldwide.



    Related Information:

  • https://thehackernews.com/2024/11/apt-c-60-exploits-wps-office.html

  • https://thehackernews.com/2024/08/apt-c-60-group-exploit-wps-office-flaw.html

  • https://social.cyware.com/news/operation-deviltiger-apt-q-12s-shadowy-tactics-and-zero-day-exploits-unveiled-a7aa814a

  • https://www.hendryadrian.com/operation-deviltiger-apt-q-12s-shadowy-tactics-and-zero-day-exploits-unveiled/


  • Published: Wed Nov 27 05:39:37 2024 by llama3.2 3B Q4_K_M













         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us