Threat Research

APT-C-48(CNC)组织近期钓鱼攻击活动分析报告

Securonix
Summary:
APT-C-48, a government-backed APT organization from South Asia, targets various sectors including government, military, education, and healthcare. Recent phishing attacks using resume-themed emails have been detected, where malicious executables are disguised as PDF files to trick users into opening them. The attackers employ tactics to evade detection and maintain persistence on infected systems.
#APT #Phishing #CNC
Keypoints:

  • APT-C-48 is a South Asia-based APT group targeting government and various sectors.
  • Recent attacks involve phishing emails with resume-related topics.
  • Malicious executables are disguised as PDF files to deceive users.
  • Attackers use dynamic decryption to evade antivirus detection.
  • Persistence is achieved through scheduled tasks created via COM components.
  • Indicators of compromise include suspicious emails and unusual scheduled tasks.
    • MITRE Techniques

  • Phishing (T1566): Utilizes resume-themed emails to deliver malicious payloads.
  • Masquerading (T1036): Modifies icons and filenames to disguise malicious executables as legitimate files.
  • Command and Control (T1071): Communicates with remote servers to download additional components.
  • Scheduled Task/Job (T1053): Creates scheduled tasks to maintain persistence on the infected system.
  • Process Injection (T1055): Uses process manipulation techniques to evade detection during execution.
    • IoC:

  • [URL] panbaiclu[.]com/Guide/Architecture.pdf
  • [URL] panbaiclu[.]com/Guide/structure
  • [URL] panbaiclu[.]com/Metadata/indexes
  • [URL] panbaiclu[.]com/APIs/BaiduSearchAPI
  • [domain] panbaiclu[.]com
  • [IP] 158.255.215.248
  • [file hash] e74d7351a73c0343c2b607c8f137f847974f51eb0ea821434504cb22c36fbfabef98ed09bedea8daef9d09ec62ffe9cc
    • Mitigation:

  • Monitor email for suspicious messages related to resumes with attachments.
  • Check for communication with known command and control servers.
  • Investigate any unusual scheduled tasks and associated suspicious files.
  • Enable settings to show hidden files and extensions to identify disguised files.

    • Full Research: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247504896&idx=1&sn=42097a09cd3420fd7168ba1afc84939e&chksm=f9c1e709ceb66e1fd732a72853e48466ae332109a6200a58c1ddab56e1c7d90b902cbbd64027&scene=178&cur_album_id=1955835290309230595

    Tags: PHISHING, MONITOR, EMAIL, GOVERNMENT, PERSISTENCE, APT