APT-C-60 Group – Utilizing malware disguised as job application emails – JPCERT/CC Eyes

Summary:
JPCERT/CC has identified a cyber attack attributed to the APT-C-60 group targeting domestic organizations, utilizing malware disguised as job application emails. The attack involves a downloader and backdoor analysis, revealing a sophisticated method of infection through malicious Google Drive links. The campaign shares similarities with other malware incidents in East Asia.
#APT-C60 #MalwareCampaign #CyberThreats

Keypoints:

  • JPCERT/CC confirmed an attack by APT-C-60 around August 2024.
  • The attack involved phishing emails disguised as job applications.
  • Malware was delivered via a Google Drive link leading to a VHDX file download.
  • The VHDX file contained LNK files and decoy documents.
  • SecureBootUEFI.dat was used as a downloader, accessing Bitbucket and StatCounter.
  • SpyGrace backdoor was identified, with a version of v3.1.6 confirmed.
  • Similar malware campaigns were reported in East Asia during the same period.

  • MITRE Techniques

  • Phishing (T1566): Used to deliver malware through job application emails.
  • Command and Control (T1071): Utilizes Bitbucket and StatCounter for communication with compromised systems.
  • Data Obfuscation (T1001): Encodes information in the referrer to hide the identity of infected machines.
  • Persistence (T1547): Achieved through COM hijacking to maintain access.
  • Remote Access Tools (T1219): Use of SpyGrace for remote control of infected systems.

  • IoC:

  • [IP Address] 103.187.26.176
  • [IP Address] 103.6.244.46
  • [URL] c.statcounter.com/12959680/0/f1596509/1/
  • [URL] c.statcounter.com/13025547/0/0a557459/1/
  • [URL] bitbucket.org/hawnbzsd/hawnbzsd/downloads
  • [URL] bitbucket.org/hawnbzsd/hawnbzsd31/downloads
  • [URL] bitbucket.org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/cbmp.txt
  • [URL] bitbucket.org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/icon.txt
  • [File Hash] fd6c16a31f96e0fd65db5360a8b5c179a32e3b8e
  • [File Hash] 4508d0254431df5a59692d7427537df8a424dbba
  • [File Hash] 7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62
  • [File Hash] c198971f84a74e972142c6203761b81f8f854d2c
  • [File Hash] 6cf281fc9795d5e94054cfe222994209779d0ba6
  • [File Hash] cc9cd337b28752b8ba1f41f773a3eac1876d8233
  • [File Hash] 5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3
  • [File Hash] 8abd64e0c4515d27fae4de74841e66cfc4371575
  • [File Hash] 3affa67bc7789fd349f8a6c9e28fa1f0c453651f
  • [File Hash] fadd8a6c816bebe3924e0b4542549f55c5283db8
  • [File Hash] 4589b97225ba3e4a4f382540318fa8ce724132d5
  • [File Hash] 1e5920a6b79a93b1fa8daca32e13d1872da208ee
  • [File Hash] 783cd767b496577038edbe926d008166ebe1ba8c
  • [File Hash] 79e41b93b540f6747d0d2c3a22fd45ab0eac09ab
  • [File Hash] 65300576ba66f199fca182c7002cb6701106f91c
  • [File Hash] d94448afd4841981b1b49ecf63db3b63cb208853
  • [File Hash] b1e0abfdaa655cf29b44d5848fab253c43d5350a
  • [File Hash] 33dba9c156f6ceda40aefa059dea6ef19a767ab2
  • [File Hash] 5d3160f01920a6b11e3a23baec1ed9c6d8d37a68
  • [File Hash] 0830ef2fe7813ccf6821cad71a22e4384b4d02b4

  • Full Research: https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html