The SpyGlace backdoor was delivered by the threat actor APT-C-60 via a job application-themed bait in a cyberattack against an unidentified Japanese firm.
According to JPCERT/CC’s findings, the infiltration made use of reputable services like Bitbucket, Google Drive, and StatCounter. The attack took place sometime in August of 2024.
“In this attack, an email purporting to be from a prospective employee was sent to the organization’s recruiting contact, infecting the contact with malware,” the agency said.
The South Korean-affiliated cyber espionage outfit known to target East Asian nations is known by the code name APT-C-60. It was seen in August 2024 dropping a proprietary backdoor named SpyGlace by taking use of a remote code execution flaw in WPS Office for Windows (CVE-2024-7262).
The attack chain identified by JPCERT/CC uses a phishing email that links to a virtual hard disk drive (VHDX) file hosted on Google Drive. When the file is downloaded and mounted, it includes a Windows shortcut (“Self-Introduction.lnk”) and a fake document.
The LNK file is in charge of starting the infection chain’s later stages and serving as a distraction by showing the lure document.
This involves launching a downloader/dropper payload called “SecureBootUEFI.dat” that then leverages a legitimate web analytics application called StatCounter to send a string that uses the HTTP referer field to uniquely identify a target device. The user name, home directory, and computer name are used to generate the encoded string value.
In order to obtain the subsequent step, a file called “Service.dat,” which downloads two additional artifacts from a separate Bitbucket repository – “cbmp.txt” and “icon.txt” – which are saved as “cn.dat” and “sp.dat,” respectively, the downloader then visits Bitbucket using the encoded unique string.
“Service.dat” also persists “cn.dat” on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor (“sp.dat”).
For its part, the backdoor connects to a command-and-control server (“103.187.26[.]176”) and waits for more commands that will enable it to load more plugins, steal files, and carry out tasks.
In addition to pointing out evidence that suggests APT-C-60 and APT-Q-12 (also known as Pseudo Hunter) are sub-groups within the DarkHotel cluster, cybersecurity companies Chuangyu 404 Lab and Positive Technologies have separately reported on identical campaigns delivering the SpyGlace malware.
“Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims’ devices,” Positive Technologies said. “One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system’s protective mechanisms.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
