The South Korea-aligned threat actor known as APT-C-60 has been linked to a targeted attack on an unnamed organization in Japan. The attack, which occurred around August 2024, employed a convincing job application-themed lure to deliver the SpyGlace backdoor, according to findings from the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).
The attack began with an email sent to the organization's recruiting contact, masquerading as a message from a prospective job applicant. The email included a link to a Google Drive file, which, when accessed, downloaded a virtual hard disk (VHDX) file containing malware. VHDX files, typically used for virtual disks, were weaponized in this case to conceal an LNK shortcut file and a decoy document.
Opening the LNK file initiated a sophisticated infection chain, displaying the lure document as a distraction while executing a downloader/dropper payload named SecureBootUEFI.dat.
APT-C-60 leveraged well-known legitimate services such as Google Drive, Bitbucket, and StatCounter to obfuscate its malicious activities.
StatCounter was exploited to collect unique device identifiers encoded from victim system details. Bitbucket repositories were used to host and deliver additional payloads, including the custom backdoor SpyGlace.
The payloads retrieved from Bitbucket several repositories including cbmp.txt (saved as cn.dat), icon.txt (saved as sp.dat). The campaign exploited a critical remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262), which facilitated the deployment of SpyGlace.
Once deployed, the SpyGlace backdoor connected to a command-and-control server, enabling the attackers to exfiltrate sensitive files, load additional plugins, and e xecute commands remotely.
To ensure persistence, APT-C-60 utilized a technique known as COM hijacking, which allowed the malicious cn.dat file to execute the backdoor while staying hidden.
