Introduction
In August 2024 [1] [2] [3] [4] [5] [7] [8], a cyber-attack orchestrated by the threat group APT-C-60 emerged as a significant threat to organizations in Japan and other East Asian countries, including South Korea and China [1] [6] [7]. This attack utilized a sophisticated phishing campaign to infiltrate recruitment departments, posing a substantial risk to targeted entities.
Description
A cyber-attack orchestrated by the threat group APT-C-60 has emerged as a significant threat actor, targeting organizations in Japan and other East Asian countries [1] [3] [7] [8], including South Korea and China [1] [6] [7]. First identified in August 2024 [1] [3], the attack involved a sophisticated phishing campaign that utilized a job application-themed lure to infiltrate recruitment departments through emails disguised as job applications. These emails contained links to malicious files hosted on trusted platforms like Google Drive [1], Bitbucket [2] [4] [5] [6] [7] [8], and StatCounter [2] [4] [5] [6] [8], enhancing the stealth of the operation and increasing the likelihood of success [5].
The attack chain commenced with a phishing email leading to the download of a VHDX file. Within this file, a malicious Windows shortcut labeled “Self-Introduction.lnk” was revealed [1], which executed a payload using the legitimate executable git.exe [1] [7]. This payload generated a downloader named SecureBootUEFI.dat [1], establishing persistence through a COM hijacking technique [1] [7]. The downloader connected to two legitimate services and accessed StatCounter to identify infected devices [7], transmitting an encoded string for device identification.
Subsequently, the downloader retrieved additional payloads from Bitbucket, including a file named “Service.dat,” which facilitated the installation of the SpyGrace backdoor (version 3.1.6) on the compromised host. SpyGrace is a backdoor malware variant that allows unauthorized access to systems, enabling attackers to steal sensitive information and monitor activities discreetly [5]. It is capable of executing multiple commands, including network connectivity checks and launching files from specific directories [7]. The malware establishes a connection to a Command-and-Control server, awaiting further instructions to steal files and execute commands. It employs advanced techniques [7], such as initterm functions [7], to perform malicious operations prior to the main program’s execution [7], utilizing encoded data strings and XOR keys to obfuscate its communications and operations [7].
During its initialization [8], SpyGrace performs critical actions [8], including reading a configuration file [8], creating a unique mutex to prevent multiple instances [8], and executing files with specific extensions found in designated directories [8]. Recent campaigns have shown a pattern of targeting through decoy documents in VHDX files, consistent with other observed malware targeting East Asian countries during the same period [1]. This incident underscores the evolving tactics of cyber attackers and the significant threat they pose to organizations [5], highlighting the risks associated with cybercriminals exploiting trusted platforms for malware delivery.
Conclusion
The APT-C-60 cyber-attack highlights the evolving tactics of cybercriminals and the significant threat they pose to organizations [5]. To mitigate risks associated with such sophisticated threats [1] [5], organizations are advised to monitor recruitment channels [1] [7], scrutinize unsolicited links [1] [3] [7], adopt comprehensive security measures [5], focus on employee training [5], and implement robust security protocols [5]. These steps are crucial in enhancing security posture against similar threats in the future.
References
[1] https://osintcorp.net/attack-group-apt-c-60-targets-japan-using-trusted-platforms/
[2] https://cyber.vumetric.com/security-news/2024/11/27/apt-c-60-hackers-exploit-statcounter-and-bitbucket-in-spyglace-malware-campaign/
[3] https://www.newsminimalist.com/articles/apt-c-60-launches-cyber-attack-on-japan-using-phishing-emails-and-malware-739b95af
[4] https://www.it-boltwise.de/apt-c-60-nutzt-schwachstelle-in-wps-office-zur-verbreitung-von-spyglace-backdoor.html
[5] https://krofeksecurity.com/defend-against-apt-c-60-wps-office-vuln/
[6] https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html
[7] https://www.infosecurity-magazine.com/news/aptc60-targets-japan-using-trusted/
[8] https://cyberpress.org/apt-c-60-targets-hr-with-weaponized-resumes/
