The recent cyber attack against organizations in Japan has been confirmed by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). This attack is believed to have been perpetrated by the cyber espionage group APT-C-60. The attackers utilized phishing techniques, posing as a job applicant, to infiltrate the victim’s system and deploy advanced malware.
The attack commenced with a targeted phishing email sent to the recruitment contact point of the targeted organization. The email contained a Google Drive link that, upon access, led to the download of a malicious VHDX file (a virtual hard disk format). Upon mounting the VHDX file, several components were revealed, including decoy documents and an LNK file titled “Self-Introduction.lnk.” This LNK file used the legitimate executable file git.exe to execute a script (IPML.txt) that performed various actions such as opening a decoy document, creating a downloader file named SecureBootUEFi.dat, and establishing persistence through COM hijacking.
The downloader, SecureBootUEFi.dat, exhibited behaviors such as device identification and fetching secondary payloads from Bitbucket to download malicious files like Service.dat. These files were then decoded, saved, and deployed using COM hijacking techniques, ultimately leading to the deployment of a backdoor malware known as SpyGrace (version 3.1.6) for continued access to the compromised system.
This attack shows similarities with previous campaigns observed from August to September 2024, targeting organizations in Japan, South Korea, and China. There is a pattern of abuse of legitimate services like Bitbucket and StatCounter, as well as the use of COM hijacking for persistence. Decoy documents found in the recycle bin of the VHDX file indicate tailored phishing emails for these specific regions.
Security Operations Center (SOC) and Digital Forensics and Incident Response (DFIR) teams are advised to collect indicators of compromise detailed in the technical report to enhance their defenses against such cyber threats.
This attack highlights the evolving tactics of cybercriminals and the importance of cybersecurity measures to protect organizations from advanced threats. It serves as a reminder for businesses to stay vigilant and implement robust security protocols to safeguard their systems and sensitive information from malicious actors.