Summary:
A China-linked threat actor, APT17, has been observed targeting Italian companies and government entities using a variant of the known malware 9002 RAT. According to an analysis published last week by Italian cybersecurity company TG Soft, the attacks took place on June 24 and July 2, 2024. In these campaigns, the threat actors employed spear-phishing techniques: the first attack used an Office document, while the second contained a link. Both campaigns invited victims to install a fake Skype for Business package from a domain resembling that of an Italian government site, which ultimately delivered the 9002 RAT malware.

APT17, also known by aliases such as Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, was first documented by Google-owned Mandiant (then FireEye) in 2013. The group is known for cyber espionage operations like DeputyDog and Ephemeral Hydra, which exploited zero-day flaws in Microsoft's Internet Explorer to breach high-value targets. APT17 shares some tooling overlap with another threat actor, Webworm.

The 9002 RAT, also known as Hydraq and McRAT, gained notoriety during Operation Aurora in 2009, which targeted Google and other major companies. It was also used in a 2013 campaign named Sunshop, where attackers injected malicious redirects into several websites. This trojan is modular, featuring capabilities such as network traffic monitoring, screenshot capturing, file enumeration, process management, and executing additional commands from a remote server.

Security Officer Comments:
In the recent attack chains, victims were tricked into clicking a link that led to the download of an MSI installer for Skype for Business ("SkypeMeeting.msi"). Launching this installer executed a Java archive (JAR) file via a Visual Basic Script (VBS), while also installing the legitimate chat software on the Windows system. The Java application then decrypted and executed the shellcode responsible for launching 9002 RAT.

TG Soft noted that the malware is continually updated, including diskless variants that reduce the risk of detection. The various modules of 9002 RAT are activated as needed by the cyber actor to minimize interception and enhance the malware's stealth and effectiveness.

Suggested Corrections:

IOCs:
https://www.tgsoft.it/news/news_archivio.asp


Organizations can make APT groups’ lives more difficult. Here’s how:

1. Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
2. Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
3. Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
4. Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2024/07/china-linked-apt17-targets-italian.html