Summary:
JPCERT/CC has identified a cyber attack attributed to the APT-C-60 group targeting domestic organizations, utilizing malware disguised as job application emails. The attack involves a downloader and backdoor analysis, revealing a sophisticated method of infection through malicious Google Drive links. The campaign shares similarities with other malware incidents in East Asia.
#APT-C60 #MalwareCampaign #CyberThreats
JPCERT/CC has identified a cyber attack attributed to the APT-C-60 group targeting domestic organizations, utilizing malware disguised as job application emails. The attack involves a downloader and backdoor analysis, revealing a sophisticated method of infection through malicious Google Drive links. The campaign shares similarities with other malware incidents in East Asia.
#APT-C60 #MalwareCampaign #CyberThreats
Keypoints:
JPCERT/CC confirmed an attack by APT-C-60 around August 2024.
The attack involved phishing emails disguised as job applications.
Malware was delivered via a Google Drive link leading to a VHDX file download.
The VHDX file contained LNK files and decoy documents.
SecureBootUEFI.dat was used as a downloader, accessing Bitbucket and StatCounter.
SpyGrace backdoor was identified, with a version of v3.1.6 confirmed.
Similar malware campaigns were reported in East Asia during the same period.
MITRE Techniques
Phishing (T1566): Used to deliver malware through job application emails.
Command and Control (T1071): Utilizes Bitbucket and StatCounter for communication with compromised systems.
Data Obfuscation (T1001): Encodes information in the referrer to hide the identity of infected machines.
Persistence (T1547): Achieved through COM hijacking to maintain access.
Remote Access Tools (T1219): Use of SpyGrace for remote control of infected systems.
IoC:
[IP Address] 103.187.26.176
[IP Address] 103.6.244.46
[URL] c.statcounter.com/12959680/0/f1596509/1/
[URL] c.statcounter.com/13025547/0/0a557459/1/
[URL] bitbucket.org/hawnbzsd/hawnbzsd/downloads
[URL] bitbucket.org/hawnbzsd/hawnbzsd31/downloads
[URL] bitbucket.org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/cbmp.txt
[URL] bitbucket.org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/icon.txt
[File Hash] fd6c16a31f96e0fd65db5360a8b5c179a32e3b8e
[File Hash] 4508d0254431df5a59692d7427537df8a424dbba
[File Hash] 7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62
[File Hash] c198971f84a74e972142c6203761b81f8f854d2c
[File Hash] 6cf281fc9795d5e94054cfe222994209779d0ba6
[File Hash] cc9cd337b28752b8ba1f41f773a3eac1876d8233
[File Hash] 5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3
[File Hash] 8abd64e0c4515d27fae4de74841e66cfc4371575
[File Hash] 3affa67bc7789fd349f8a6c9e28fa1f0c453651f
[File Hash] fadd8a6c816bebe3924e0b4542549f55c5283db8
[File Hash] 4589b97225ba3e4a4f382540318fa8ce724132d5
[File Hash] 1e5920a6b79a93b1fa8daca32e13d1872da208ee
[File Hash] 783cd767b496577038edbe926d008166ebe1ba8c
[File Hash] 79e41b93b540f6747d0d2c3a22fd45ab0eac09ab
[File Hash] 65300576ba66f199fca182c7002cb6701106f91c
[File Hash] d94448afd4841981b1b49ecf63db3b63cb208853
[File Hash] b1e0abfdaa655cf29b44d5848fab253c43d5350a
[File Hash] 33dba9c156f6ceda40aefa059dea6ef19a767ab2
[File Hash] 5d3160f01920a6b11e3a23baec1ed9c6d8d37a68
[File Hash] 0830ef2fe7813ccf6821cad71a22e4384b4d02b4
Full Research: https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html