Summary:
APT-C-60, the moniker assigned to a South Korea-aligned cyber espionage group, has been linked to a cyber attack targeting an unnamed organization in Japan. The attack leveraged a job application-themed lure to deliver the SpyGlace backdoor. According to findings from JPCERT/CC, the intrusion utilized legitimate services like Google Drive, Bitbucket, and StatCounter and was carried out around August 2024.

In this campaign, the threat actor sent an email purporting to be from a prospective employee to the organization's recruiting contact, infecting the recipient with malware. APT-C-60 exploited a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop the SpyGlace backdoor. The attack chain involved a phishing email containing a link to a file hosted on Google Drive. This file was a virtual hard disk drive (VHDX) that, when downloaded and mounted, included a decoy document and a Windows shortcut file named "Self-Introduction.lnk."

The LNK file was responsible for triggering the subsequent steps in the infection chain while displaying the decoy document to distract the victim. The downloader or dropper payload, named "SecureBootUEFI.dat," used StatCounter, a legitimate web analytics tool, to transmit a string uniquely identifying the victim device via the HTTP referer field. The string was encoded and derived from the computer name, home directory, and username.

Analyst Comments:
APT-C-60 is known to target East Asian countries and use highly sophisticated techniques to deliver its malware. The use of legitimate services in the attack, such as Google Drive for file hosting, StatCounter for victim identification, and Bitbucket for retrieving malware payloads, demonstrates the group's ability to exploit trusted platforms to avoid detection.

The downloader payload accessed Bitbucket with the encoded unique string to retrieve the next stage of the malware infection chain, a file called "Service.dat." This file downloaded two additional artifacts, "cbmp.txt" and "icon.txt," from a separate Bitbucket repository. These files were renamed to "cn.dat" and "sp.dat," respectively. The "Service.dat" file persisted "cn.dat" on the compromised host using a technique called COM hijacking, enabling the execution of the SpyGlace backdoor ("sp.dat").

Once active, the SpyGlace backdoor established contact with a command-and-control server ("103.187.26[.]176") to await instructions. These instructions included stealing files, loading additional plugins, and executing commands, showcasing the malware's versatility in achieving cyber espionage objectives.

Cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported similar campaigns delivering the SpyGlace malware. Their findings highlighted evidence linking APT-C-60 and APT-Q-12 (also known as Pseudo Hunter) to the DarkHotel cluster, a group known for targeting entities in the Asia-Pacific region. Positive Technologies noted that these groups use non-standard techniques, such as deploying virtual disk files in VHD/VHDX format, to bypass operating system protective mechanisms.

Suggested Corrections:

1. Apply Security Updates:
   • Patch the WPS Office vulnerability (CVE-2024-7262) immediately.
   • Regularly update all software to mitigate potential exploits.
2. Email Security and Awareness:
   • Educate employees to recognize phishing emails, particularly those mimicking job applications.
   • Use email filtering to block malicious links and attachments.
3. Endpoint and Network Monitoring:
   • Deploy endpoint detection and response (EDR) tools to detect COM hijacking and other suspicious behaviors.
   • Monitor network traffic for connections to known malicious IPs, such as "103.187.26[.]176," and block unauthorized domains.
4. Incident Response Preparedness:
   • Ensure incident response teams are prepared to investigate and remediate infections quickly.
   • Regularly test and update backup and recovery systems to protect against data loss.
5. Limit Access to Legitimate Services:
   • Restrict unnecessary access to services like Bitbucket and Google Drive to prevent their misuse in attack chains.

Link(s):
https://thehackernews.com/2024/11/apt-c-60-exploits-wps-office.html