The menace actor often called APT-C-60 has been linked to a cyber assault concentrating on an unnamed group in Japan that used a job application-themed lure to ship the SpyGlace backdoor.
That is in line with findings from JPCERT/CC, which mentioned the intrusion leveraged authentic companies like Google Drive, Bitbucket, and StatCounter. The assault was carried out round August 2024.
“On this assault, an electronic mail purporting to be from a potential worker was despatched to the group’s recruiting contact, infecting the contact with malware,” the company mentioned.
APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that is identified to focus on East Asian nations. In August 2024, it was noticed exploiting a distant code execution vulnerability in WPS Workplace for Home windows (CVE-2024-7262) to drop a customized backdoor referred to as SpyGlace.
The assault chain found by JPCERT/CC includes using a phishing electronic mail that incorporates a hyperlink to a file hosted on Google Drive, a digital laborious disk drive (VHDX) file, which, when downloaded and mounted, features a decoy doc and a Home windows shortcut (“Self-Introduction.lnk”).
The LNK file is answerable for triggering the next steps within the an infection chain, whereas additionally displaying the lure doc as a distraction.
This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in flip, makes use of StatCounter, a authentic net analytics device, to transmit a string that may uniquely establish a sufferer machine utilizing the HTTP referer subject. The string worth is derived from the pc title, house listing, and the person title and encoded.
The downloader then accesses Bitbucket utilizing the encoded distinctive string in an effort to retrieve the subsequent stage, a file often called “Service.dat,” which downloads two extra artifacts from a special Bitbucket repository – “cbmp.txt” and “icon.txt” – that are saved as “cn.dat” and “sp.dat,” respectively.
“Service.dat” additionally persists “cn.dat” on the compromised host utilizing a way referred to as COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
The backdoor, for its half, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits additional directions that enable it to steal information, load further plugins, and execute instructions.
It is value noting that cybersecurity companies Chuangyu 404 Lab and Optimistic Applied sciences have independently reported on an identical campaigns delivering the SpyGlace malware, alongside highlighting proof pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups inside the DarkHotel cluster.
“Teams from the Asia area proceed to make use of non-standard strategies to ship their malware to victims’ units,” Optimistic Applied sciences mentioned. “Considered one of these strategies is using digital disks in VHD/VHDX format to bypass the working system’s protecting mechanisms.”
