In August 2024, APT-C-60 orchestrated a sophisticated phishing attack aimed at domestic organizations by sending out malicious emails disguised as job applications. The emails were specifically targeted at recruitment departments within these organizations and contained malware designed to infiltrate systems and potentially extract sensitive data. This attack utilized a highly targeted phishing email strategy to distribute a malicious VHDX file that was hosted on Google Drive.
Once the VHDX file was executed, it released an LNK file that likely triggered the execution of malicious code, compromising the victim’s system. The malicious script embedded in the LNK file utilized the legitimate git.exe to launch a downloader named SecureBootUEFI.dat, which established persistence on the system by hijacking a COM interface and configuring itself to run automatically.
The SecureBootUEFI.dat malware initiated contact with StatCounter to identify infected devices based on unique device information. Subsequently, it downloaded a malicious payload from Bitbucket, exploiting a unique URL path derived from device-specific data, and executed it locally. The Service.dat malware, another component of the attack, downloaded and decoded two files from a different Bitbucket repository, which were then encrypted using Base64 and XOR encryption and persisted through COM interface hijacking.
A backdoor known as SpyGrace v3.1.6 was implanted as part of the attack and verified its existence through version information and encryption keys matching those of a previously reported version (v3.0). The initialization process of this backdoor involved loading configuration data, creating a mutex to prevent duplicate instances, and checking network connectivity with api.ipfy.org.
To further establish persistence, the backdoor executed specific file types within the user’s roaming profile directory. By executing prior to the DllMain function, the backdoor was able to pre-process the initialization phase and impact the initial state of the DLL.
According to reports from JPCERT, recent malware campaigns, including those orchestrated by APT-C-60, have been leveraging legitimate services such as Bitbucket and StatCounter for malicious activities. The utilization of COM hijacking for persistence indicates a broader threat landscape that involves sophisticated techniques and potential espionage motives, especially in the context of attacks targeting East Asian nations.
The attack on East Asia illustrates the evolving nature of cyber threats and the use of legitimate services as a cover for malicious activities. By leveraging services like Bitbucket and StatCounter, attackers can disguise their intentions and deliver harmful payloads using common infrastructure. This underscores the importance of vigilance and robust cybersecurity measures to defend against such advanced threats.
In conclusion, the APT-C-60 phishing attack in August 2024 highlights the growing sophistication of cyber threats and the need for organizations to remain vigilant and proactive in defending against such attacks. By understanding the tactics and techniques employed by threat actors and staying informed about the latest cybersecurity trends, organizations can better protect themselves and mitigate the risks associated with targeted phishing campaigns.