APT-C-60 Hackers Use Job Scam to Deploy SpyGlace Malware
APT-C-60 Cyber Attack Targets Japanese Organization Using Job Application Lure
In a concerning development within the cybersecurity landscape, the threat actor known as APT-C-60 has been linked to a sophisticated cyber attack targeting an unnamed organization in Japan. The attack, which unfolded around August 2024, employed a job application-themed lure to deliver the SpyGlace malware, raising alarms about the evolving tactics of cyber espionage groups. According to JPCERT/CC, the intrusion utilized legitimate online services like Google Drive and Bitbucket to execute its malicious agenda.
APT-C-60, a South Korea-aligned cyber espionage group, is notorious for its focus on East Asian countries. This recent incident involved the exploitation of a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, marking a significant shift in the group’s operational methods.
How the Cyber Attack Unfolded
The attack chain revealed by JPCERT/CC illustrates a well-orchestrated phishing scheme. Here’s how the attack unfolded:
- Phishing Email: An email disguised as a job application was sent to the organization’s recruitment contact, infecting the recipient with malware.
- Malicious Link: The email contained a link to a malicious file hosted on Google Drive, which, when downloaded, included a decoy document and a Windows shortcut labeled “Self-Introduction.lnk.”
- Infection Chain: The LNK file activated a downloader named “SecureBootUEFI.dat,” which utilized StatCounter to transmit a unique identifier for the victim’s device.
The Role of Legitimate Services
The use of legitimate services in this attack highlights a troubling trend in cyber threats. By employing trusted platforms, APT-C-60 was able to bypass some traditional security measures. Here’s a breakdown of additional steps in the attack:
- The downloader accessed Bitbucket to retrieve a file called “Service.dat.”
- This file initiated the download of two more artifacts, “cbmp.txt” and “icon.txt,” saved as “cn.dat” and “sp.dat.”
- “Service.dat” also ensured persistence of “cn.dat” on the compromised host through a technique known as COM hijacking.
- Finally, the SpyGlace backdoor (“sp.dat”) was executed, establishing communication with a command-and-control server.
Broader Implications and Trends
Cybersecurity firms like Chuangyu 404 Lab and Positive Technologies have independently reported similar campaigns associated with the SpyGlace malware, linking APT-C-60 with other sub-groups within the DarkHotel cluster. Positive Technologies noted that groups in the Asia region are increasingly using unconventional techniques, such as virtual disks in VHD/VHDX format, to navigate around security protocols.
This incident serves as a critical reminder of the need for robust cybersecurity measures, especially for organizations that may be targeted by sophisticated threat actors.
Conclusion
As cyber threats continue to evolve, it is crucial for organizations to stay vigilant and implement comprehensive security strategies. The APT-C-60 attack underscores the importance of awareness and preparedness against such advanced persistent threats.
What do you think about the tactics used in this cyber attack? Share your thoughts in the comments below! For more insights on cybersecurity trends, follow us on Twitter and LinkedIn for the latest updates.
For further reading on similar cybersecurity incidents, check out this report from JPCERT/CC and learn more about APT groups and their tactics.