Ethical Hacking News
A sophisticated malware campaign known as SpyGlace has been linked to APT-C-60, with the group exploiting multiple legitimate services such as Google Drive, Bitbucket, and StatCounter to deliver the malware. The use of these services by APT-C-60 makes the SpyGlace campaign particularly sophisticated and underscores the ongoing threat posed by this group.
Apt-C-60 has been linked to a complex malware campaign known as SpyGlace that leverages multiple legitimate services to infect victims' devices. The campaign uses phishing emails to deceive recipients into opening malicious attachments or clicking on links leading to the next stage of the infection chain. The downloader/dropper payload named "SecureBootUEFI.dat" is used to transmit a unique string that identifies the victim device using the HTTP referer field. The encoded string is used by the downloader to access Bitbucket, a popular version control platform, and retrieve the next stage of the malware campaign. Upon accessing Bitbucket, the "Service.dat" file downloads two additional artifacts from a different repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively. The "Service.dat" file persists "cn.dat" on the compromised host using a technique called COM hijacking, after which it executes the SpyGlace backdoor ("sp.dat"). The APT-C-60 group is known to target East Asian countries and has been linked to other high-profile attacks in the region. Groups from Asia continue to use non-standard techniques to deliver their malware, including using virtual disks in VHD/VHDX format to bypass operating system protective mechanisms.
The cyber threat landscape has witnessed numerous sophisticated attacks in recent times, with APT-C-60 being one such actor that has garnered significant attention for its highly advanced tactics. According to the latest findings from JPCERT/CC, APT-C-60 has been linked to a complex malware campaign known as SpyGlace, which leverages multiple legitimate services to infect victims' devices.
At the heart of this campaign lies the use of phishing emails that appear to be job application-themed lures. These emails are designed to deceive unsuspecting recipients into opening malicious attachments or clicking on links that lead to the next stage of the infection chain. Once opened, these attachments download a downloader/dropper payload named "SecureBootUEFI.dat" onto the victim's device.
This downloader then utilizes StatCounter, a legitimate web analytics tool, to transmit a unique string that identifies the victim device using the HTTP referer field. This string is derived from the computer name, home directory, and user name, which are all encoded for added security. The encoded string is then used by the downloader to access Bitbucket, a popular version control platform.
Upon accessing Bitbucket, the downloader retrieves the next stage of the malware campaign, known as "Service.dat." This file downloads two additional artifacts from a different Bitucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively. The "Service.dat" file then persists "cn.dat" on the compromised host using a technique called COM hijacking.
After persistence, the "cn.dat" file executes the SpyGlace backdoor ("sp.dat"), which establishes contact with a command-and-control server located at 103.187.26[.]176. This backdoor allows APT-C-60 to steal files, load additional plugins, and execute commands on compromised devices.
The use of legitimate services such as Google Drive, Bitbucket, and StatCounter by APT-C-60 makes the SpyGlace malware campaign particularly sophisticated. It highlights the ongoing cat-and-mouse game between cybersecurity professionals and threat actors, with each side continually developing new tactics to outmaneuver the other.
Cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups within the DarkHotel cluster. These findings underscore the ongoing threat posed by APT-C-60 and its affiliates.
The attack chain discovered by JPCERT/CC involves a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file that includes a decoy document and a Windows shortcut ("Self-Introduction.lnk"). This LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.
This entails launching a downloader/dropper payload named "SecureBootUEFI.dat" which uses StatCounter to transmit a string that can uniquely identify a victim device using the HTTP referer field. The string value is derived from the computer name, home directory, and the user name and encoded.
The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as "Service.dat," which downloads two more artifacts from a different Bitucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively.
"Service.dat" also persists "cn.dat" on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor ("sp.dat"). The backdoor establishes contact with a command-and-control server and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.
The APT-C-60 group is known to target East Asian countries and has been linked to other high-profile attacks in the region. This latest campaign highlights the ongoing threat posed by this group and underscores the importance of vigilance among cybersecurity professionals.
In light of these findings, it becomes clear that groups from the Asia region continue to use non-standard techniques to deliver their malware to victims' devices. One such technique involves the use of virtual disks in VHD/VHDX format to bypass operating system protective mechanisms.
Cybersecurity experts and researchers will undoubtedly be keeping a close eye on this group's activities, as the ongoing cat-and-mouse game between cybersecurity professionals and threat actors continues to evolve at an unprecedented pace.
Related Information:
https://thehackernews.com/2024/11/apt-c-60-exploits-wps-office.html
https://healsecurity.com/apt-c-60-hackers-exploit-statcounter-and-bitbucket-in-spyglace-malware-campaign/
https://attack.mitre.org/groups/G0012/
https://www.kaspersky.com/resource-center/threats/darkhotel-malware-virus-threat-definition
Published: Wed Nov 27 08:46:06 2024 by llama3.2 3B Q4_K_M
