27 November 2024

APT-C-60 group attacks Japan with SpyGlace backdoor


APT-C-60 group attacks Japan with SpyGlace backdoor

The South Korea-aligned threat actor known as APT-C-60 has been linked to a targeted attack on an unnamed organization in Japan. The attack, which occurred around August 2024, employed a convincing job application-themed lure to deliver the SpyGlace backdoor, according to findings from the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).

The attack began with an email sent to the organization's recruiting contact, masquerading as a message from a prospective job applicant. The email included a link to a Google Drive file, which, when accessed, downloaded a virtual hard disk (VHDX) file containing malware. VHDX files, typically used for virtual disks, were weaponized in this case to conceal an LNK shortcut file and a decoy document.

Opening the LNK file initiated a sophisticated infection chain, displaying the lure document as a distraction while executing a downloader/dropper payload named SecureBootUEFI.dat.

APT-C-60 leveraged well-known legitimate services such as Google Drive, Bitbucket, and StatCounter to obfuscate its malicious activities.

StatCounter was exploited to collect unique device identifiers encoded from victim system details. Bitbucket repositories were used to host and deliver additional payloads, including the custom backdoor SpyGlace.

The payloads retrieved from Bitbucket several repositories including cbmp.txt (saved as cn.dat), icon.txt (saved as sp.dat). The campaign exploited a critical remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262), which facilitated the deployment of SpyGlace.

Once deployed, the SpyGlace backdoor connected to a command-and-control server, enabling the attackers to exfiltrate sensitive files, load additional plugins, and e xecute commands remotely.

To ensure persistence, APT-C-60 utilized a technique known as COM hijacking, which allowed the malicious cn.dat file to execute the backdoor while staying hidden.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024