HomeCyber AttacksAPT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Marketing campaign

APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Marketing campaign

The menace actor often known as APT-C-60 has been linked to a cyber assault concentrating on an unnamed group in Japan that used a job application-themed lure to ship the SpyGlace backdoor.

That is based on findings from JPCERT/CC, which mentioned the intrusion leveraged legit companies like Google Drive, Bitbucket, and StatCounter. The assault was carried out round August 2024.

“On this assault, an e mail purporting to be from a potential worker was despatched to the group’s recruiting contact, infecting the contact with malware,” the company mentioned.

APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that is recognized to focus on East Asian nations. In August 2024, it was noticed exploiting a distant code execution vulnerability in WPS Workplace for Home windows (CVE-2024-7262) to drop a customized backdoor referred to as SpyGlace.

Cybersecurity

The assault chain found by JPCERT/CC entails the usage of a phishing e mail that comprises a hyperlink to a file hosted on Google Drive, a digital exhausting disk drive (VHDX) file, which, when downloaded and mounted, features a decoy doc and a Home windows shortcut (“Self-Introduction.lnk”).

See also  Russian Hacker Group ToddyCat Makes use of Superior Instruments for Industrial-Scale Data Theft

The LNK file is answerable for triggering the following steps within the an infection chain, whereas additionally displaying the lure doc as a distraction.

This entails launching a downloader/dropper payload named “SecureBootUEFI.dat” which, in flip, makes use of StatCounter, a legit internet analytics instrument, to transmit a string that may uniquely determine a sufferer gadget utilizing the HTTP referer discipline. The string worth is derived from the pc identify, dwelling listing, and the person identify and encoded.

SpyGlace Backdoor

The downloader then accesses Bitbucket utilizing the encoded distinctive string with a purpose to retrieve the subsequent stage, a file often known as “Service.dat,” which downloads two extra artifacts from a unique Bitbucket repository – “cbmp.txt” and “icon.txt” – that are saved as “cn.dat” and “sp.dat,” respectively.

“Service.dat” additionally persists “cn.dat” on the compromised host utilizing a way referred to as COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).

The backdoor, for its half, establishes contact with a command-and-control server (“103.187.26[.]176”) and awaits additional directions that enable it to steal recordsdata, load extra plugins, and execute instructions.

Cybersecurity

It is value noting that cybersecurity companies Chuangyu 404 Lab and Constructive Applied sciences have independently reported on equivalent campaigns delivering the SpyGlace malware, alongside highlighting proof pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups inside the DarkHotel cluster.

See also  Replace Chrome Now to Repair New Actively Exploited Vulnerability

“Teams from the Asia area proceed to make use of non-standard strategies to ship their malware to victims’ gadgets,” Constructive Applied sciences mentioned. “One among these strategies is the usage of digital disks in VHD/VHDX format to bypass the working system’s protecting mechanisms.”

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular