July 17, 2024 at 05:06AM
APT17, a China-linked threat actor, targeted Italian companies and government entities using a variant of known malware, 9002 RAT. Two attacks occurred on June 24 and July 2, 2024, leveraging spear-phishing lures to prompt victims to download an MSI installer for Skype for Business, which triggered the execution of 9002 RAT to facilitate network surveillance and control.
From the meeting notes, I have gathered that a China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT. The attacks took place on June 24 and July 2, 2024. A cybersecurity company identified the malware as being delivered through spear-phishing lures, aiming to trick recipients into downloading an MSI installer for Skype for Business. Once the installer is launched, it executes a Java archive (JAR) file via a Visual Basic Script (VBS), ultimately leading to the execution of 9002 RAT. This modular trojan has various capabilities, including monitoring network traffic, capturing screenshots, and running additional commands received from a remote server. The malware is constantly updated with diskless variants and uses various modules to reduce the possibility of interception by cyber actors.