In a recent turn of events in the cybersecurity realm, a newly identified Advanced Persistent Threat (APT) group, known as Actor240524, has emerged onto the scene with a targeted spear-phishing campaign aimed at Azerbaijani and Israeli diplomats. This malevolent group initiated their operation on July 1, 2024, utilizing a deceptive Word document written in Azerbaijani language to masquerade as official correspondence and lure unsuspecting victims into their trap.
The primary objective of this cyber incursion appears to be centered around disrupting the delicate relationship between Azerbaijan and Israel. To achieve their nefarious goals, Actor240524 has integrated two new Trojan programs, identified as ABCloader and ABCsync, into their arsenal. These Trojans are specifically designed to exfiltrate sensitive data while remaining undetected by implementing various countermeasures against traditional security protocols.
The attack begins with a phishing document that, when opened by the recipient, triggers embedded VBA code to decrypt and store a malicious payload disguised as a benign .log file. This payload acts as a loader, conducting system checks, evading detection, and decrypting additional components, such as a DLL. Subsequently, the DLL is loaded to establish a connection with a command-and-control (C2) server for remote control and execution of commands.
One key aspect of the ABCloader and ABCsync Trojans is their utilization of robust anti-analysis techniques. By encrypting critical components like strings and API calls, these malicious programs make it difficult for security analysts to conduct static and sandbox analysis. Furthermore, they actively monitor the system environment for signs of debugging activity, effectively thwarting dynamic analysis attempts.
The attackers behind Actor240524 have implemented advanced anti-debugging measures, encrypted communications, and registry manipulations to ensure persistence and control over infected systems. The ABCsync Trojan, in particular, employs UDP for encrypted communication with the C2 server, using AES-256 CBC for data protection. This Trojan is capable of executing remote commands, manipulating files, and exfiltrating data through pipe communication, receiving detailed instructions from the C2 server.
According to findings by NSFOCUS Security Labs, the threat actor behind Actor240524 leverages system information to establish communication channels for command execution, file manipulation, and error handling. The combination of hardware breakpoint detection, screen resolution analysis, process enumeration, and permission verification allows the attackers to identify and evade virtualized or sandboxed environments.
In a multi-stage attack strategy, the malicious actor deploys synchronize.exe, a loader similar to ABCloader, to ensure persistence on infected systems. Additionally, vcruntime190.dll and vcruntime220.dll are used to hijack legitimate system components, enabling continued execution of synchronize.exe. The decoy document iden.doc serves as the initial infection vector, while the C2 server at 185.23.253.143:36731 acts as the central command-and-control hub for orchestrating further malicious activities.
This sophisticated cyber operation conducted by Actor240524 demonstrates the evolving capabilities of APT groups in the realm of cyber espionage and disruption. As defenders continue to adapt their security measures, threat actors are constantly innovating new techniques to evade detection and achieve their malicious objectives. It is imperative for organizations and cybersecurity professionals to remain vigilant and proactive in the face of such advanced threats.