A cyber-attack focusing on Japanese and different East Asian organizations, suspected to be orchestrated by the menace group APT-C-60, has been uncovered.
First recognized in August 2024, the assault concerned phishing emails disguised as job purposes to infiltrate recruitment departments, introducing malware through malicious hyperlinks hosted on legit platforms akin to Google Drive.
Assault Chain and Strategies
In keeping with a brand new advisory revealed by JPCERT on Tuesday, the assault started with a phishing e-mail containing a Google Drive hyperlink.
This hyperlink downloaded a VHDX file – a digital disk format – onto the sufferer’s system. Contained in the file, a malicious LNK shortcut file labeled Self-Introduction.lnk executed a payload utilizing a legit executable, git.exe. Moreover, the payload generated a downloader, SecureBootUEFI.dat, and achieved persistence via a COM hijacking method.
Additional evaluation revealed that the downloader related to 2 legit providers:
-
StatCounter, for figuring out contaminated gadgets utilizing distinctive encoded information like pc names
-
Bitbucket, to retrieve and execute further payloads
The malware used encoded information strings in URLs and XOR keys to obfuscate its communication and payload operations.
Backdoor and Persistence Mechanisms
The ultimate payload, first recognized as SpyGrace by ESET researchers in August, is a backdoor malware. This variant, model 3.1.6, is initialized by executing a number of instructions, together with verifying community connectivity and launching recordsdata from particular directories.
The backdoor additionally employs superior methods, akin to utilizing initterm features to execute malicious operations earlier than the first program begins.
Learn extra on hijacking methods: Israeli Plane Survive “Cyber-Hijacking” Makes an attempt
Regional Implications and Broader Marketing campaign
Proof suggests this marketing campaign focused organizations in Japan, South Korea and China. The usage of decoy paperwork within the VHDX recordsdata aligns with different campaigns noticed in East Asia between August and September 2024.
These campaigns constantly exploit legit providers like Bitbucket for malware supply and use subtle persistence methods, highlighting the evolving ways of APT-C-60.
In keeping with JPCERT, this marketing campaign demonstrates the dangers posed by cybercriminals abusing trusted providers. Organizations are urged to observe recruitment channels, scrutinize unsolicited hyperlinks and deploy superior menace detection mechanisms to mitigate related dangers.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25290333/STK255_Google_Gemini_C.jpg "Gemini can now tell when a PDF is on your phone screen")
