One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624236 |
| Date de publication | 2024-12-12 20:10:48 (vue: 2024-12-12 21:11:24) |
| Titre | Attack Exploiting Legitimate Service by APT-C-60 |
| Texte | #### Targeted Geolocations - Japan ## Snapshot The JPCERT Coordination Center (JPCERT/CC) released a report detailing an attack by APT-C-60 against an organization in Japan during August 2024. ## Description The attacker used a phishing email disguised as a job application to lure the victim into downloading malware via a Google Drive link. The malicious file, a VHDX virtual disk image, contained LNK files and decoy documents. Upon execution, the LNK file triggered a series of actions, including creating a downloader, SecureBootUEFI.dat, which was made persistent through COM hijacking. SecureBootUEFI.dat communicated with legitimate services Bitbucket and StatCounter, using the latter to identify infected devices by encoding unique device information into StatCounter\'s referrer data. The downloader subsequently fetched additional payloads, Service.dat, which in turn retrieved and decoded further malware components, cn.dat and sp.dat, storing them in the system. The backdoor used in the attack, dubbed SpyGlace by ESET, is a well-documented tool with advanced functionality, including encrypted communication and modular execution. The backdoor has been observed in attacks attributed to APT-C-60, notably in similar campaigns reported between August and September 2024 targeting East Asian countries. ## Microsoft Analysis and Additional OSINT Context [APT-C-60](https://malpedia.caad.fkie.fraunhofer.de/actor/apt-c-60) is a South Korea-linked cyberespionage group that focuses its targeting in East Asian countries, active since at least December 2021. In August, [ESET researchers observed](https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/) the group exploiting a remote code execution (RCE) vulnerability in WPS Office for Windows ([CVE-2024-7262](https://security.microsoft.com/intel-explorer/cves/CVE-2024-7262/)) to deploy its custom backdoor, SpyGlace, to impact users in East Asia. Previously, [the group was observed](https://threatbook.io/blog/Military-Topics-in-Focus:-APT-C-60-Threat-Continues-to-be-Exposed) using military-themed lures in phishing campaigns to gain access to victim enviornments. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential h |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2021 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 7262 7262/ access accessed action actions active additional advanced af74 against alert alerts all allow analysis antivirus any application apt are artifacts asia asian attack attacker attacks attributed august authority automated backdoor based been behind between bitbucket block breach breaches caad campaigns can center changes cloud code com com/en com/int/about/newsroom/press com/intel com/microsoft com/threatanalytics3/9382203e common communicated communication components configure contained content context continues controlled coordination copyright countries cover creating credential custom cve cyberespionage dat data day de/actor/apt december decoded decoy defend defender delivered deploy description detailing detect detected detections/hunting detects device devices disguised disk distribution documented documents does downloader downloading drive dubbed during east edr email enable enabled encoding encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enviornments equivalent eset even evolving execution exploiting exploits explorer/cves/cve exposed fetched file files fkie focus: focuses folder folders follow following fraunhofer from full functionality further gain geolocations google group hardening has hijacking html https://blogs https://learn https://malpedia https://security https://threatbook https://www identify image immediate impact including infected information investigation investigations io/blog/military its japan job jp/en/2024/12/apt jpcert jpcert/cc korea latter learndoc learning least legitimate like link linked lnk local lsa lsass lure lures machine made majority malicious malware malware: manage microsoft military mitigations mode modular msr name=trojan:win32/malgent network new non not notably observed ocid=magicti office organization osint overview part passive payloads permission persistent phishing post preferences premises previously product prohibited protection protection#how protections queries rapidly rce recommendations recommends reduce reducing reduction reference#block references referrer released releases/research/eset remediate remediation remote report reported reproduction research researchers reserved resolve retrieved rights rules run running scenes second securebootuefi security september series service services settings significantly similar since site snapshot south spy spyglace statcounter stealing storing subsequently subsystem surface system take tamper targeted targeting techniques theft them themed thereof threat threats through tool tools topics triggered trojan:win32/malgent turn uncovers unique unknown upon us/defender us/wdsi/threats/malware used users using vhdx victim view=o365 virtual volume vulnerability vulnerability/ well when which windows without works worldwide wps written your zero |
| Tags | Malware Tool Vulnerability Threat |
| Stories | APT C 60 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.