November 27, 2024 at 06:28AM
APT-C-60, a South Korea-aligned cyber espionage group, targeted a Japanese organization in August 2024 using a job application phishing scheme to deploy the SpyGlace malware. The attack utilized services like Google Drive and Bitbucket, exploiting vulnerabilities in WPS Office, and involved sophisticated methods for executing and distributing the malware.
### Meeting Takeaways – Cybersecurity Update (Nov 27, 2024)
**Incident Overview:**
– APT-C-60, a South Korea-aligned cyber espionage group, executed a cyber attack on an unnamed organization in Japan using job application-themed phishing tactics to deliver the SpyGlace backdoor.
**Key Findings:**
– The attack occurred around **August 2024** and involved exploiting a **remote code execution vulnerability (CVE-2024-7262)** in WPS Office for Windows.
– Phishing emails masqueraded as communications from prospective employees, leading to malware infections.
**Technical Details:**
– **Infection Chain**: The attack utilized a downloader known as **SecureBootUEFI.dat**, which leveraged legitimate platforms like **Google Drive** and **Bitbucket** for hosting malicious files.
– **File Structure**: The attackers used a **VHDX file** containing:
– A decoy document to distract users.
– A Windows shortcut triggering the malware infection process.
– The downloader sent a unique device identifier to the command server via an HTTP referer field, using encoded computer data.
**Artifact Retrieval Steps:**
1. **SecureBootUEFI.dat** sends the encoded identifier to Bitbucket.
2. Retrieves **Service.dat**, which then downloads:
– **cbmp.txt** (saved as **cn.dat**)
– **icon.txt** (saved as **sp.dat**)
3. **Service.dat** employs COM hijacking to persist **cn.dat** and execute **sp.dat**, initiating the SpyGlace backdoor.
**Operational Impact:**
– The SpyGlace backdoor establishes a connection to a command-and-control server (IP: 103.187.26[.]176) to conduct further malicious activities, including file theft and executing commands.
**Industry Response:**
– Cybersecurity firms Chuangyu 404 Lab and Positive Technologies have confirmed similar campaigns and identified APT-C-60 as part of a broader cluster (DarkHotel) alongside APT-Q-12 (Pseudo Hunter).
– Observations indicate that cyber groups in the Asia region are increasingly using unconventional methods, such as virtual disks (VHD/VHDX format), to bypass security protocols.
**Action Items:**
– Continued monitoring of APT-C-60 and similar threats.
– Review and enhance email security protocols and employee training regarding phishing attacks.
**Follow-Up:**
Stay updated on cybersecurity trends and threats by following relevant channels on social media.