- Get a free Google Pixel 9 phone with this T-Mobile Black Friday deal
- Save up to $1,100 on this Sony Bravia 7 and soundbar bundle at Amazon for Black Friday
- iPad (2022) vs. iPad Air (2022): Which one's really better for you?
- Navigating the Future of Cisco Distribution: Insights from the Black Belt Academy
- Zoom says it's no longer a video company. What that means for your meetings
Attack Group APT-C-60 Targets Japan Using Trusted Platforms
A cyber-attack targeting Japanese and other East Asian organizations, suspected to be orchestrated by the threat group APT-C-60, has been uncovered.
First identified in August 2024, the attack involved phishing emails disguised as job applications to infiltrate recruitment departments, introducing malware via malicious links hosted on legitimate platforms such as Google Drive.
Attack Chain and Techniques
According to a new advisory published by JPCERT on Tuesday, the attack began with a phishing email containing a Google Drive link.
This link downloaded a VHDX file – a virtual disk format – onto the victim’s system. Inside the file, a malicious LNK shortcut file labeled Self-Introduction.lnk executed a payload using a legitimate executable, git.exe. Additionally, the payload generated a downloader, SecureBootUEFI.dat, and achieved persistence through a COM hijacking technique.
Further analysis revealed that the downloader connected to two legitimate services:
-
StatCounter, for identifying infected devices using unique encoded data like computer names
-
Bitbucket, to retrieve and execute additional payloads
The malware used encoded data strings in URLs and XOR keys to obfuscate its communication and payload operations.
Backdoor and Persistence Mechanisms
The final payload, first identified as SpyGrace by ESET researchers in August, is a backdoor malware. This variant, version 3.1.6, is initialized by executing multiple commands, including verifying network connectivity and launching files from specific directories.
The backdoor also employs advanced techniques, such as using initterm functions to execute malicious operations before the primary program starts.
Read more on hijacking techniques: Israeli Aircraft Survive “Cyber-Hijacking” Attempts
Regional Implications and Broader Campaign
Evidence suggests this campaign targeted organizations in Japan, South Korea and China. The use of decoy documents in the VHDX files aligns with other campaigns observed in East Asia between August and September 2024.
These campaigns consistently exploit legitimate services like Bitbucket for malware delivery and use sophisticated persistence techniques, highlighting the evolving tactics of APT-C-60.
According to JPCERT, this campaign demonstrates the risks posed by cybercriminals abusing trusted services. Organizations are urged to monitor recruitment channels, scrutinize unsolicited links and deploy advanced threat detection mechanisms to mitigate similar risks.
