APT-C-60 launched a targeted cyberattack against domestic organizations in August 2024 by employing a sophisticated phishing campaign, sending malicious emails disguised as job applications to HR departments.
Upon opening the infected attachments, organizations became compromised, allowing attackers to gain unauthorized access to sensitive systems and data.
The attack begins with a targeted phishing email containing a Google Drive link to a malicious VHDX file. Upon mounting, the VHDX reveals an LNK file and a decoy document.
The LNK file, disguised as “Self-Introduction,” leverages the legitimate git.exe to execute the IPML.txt script, which in turn opens the decoy document and creates the persistent downloader SecureBootUEFI.dat.
It accomplishes this by taking control of a COM interface, which guarantees that it will be executed whenever the system is started up.
SecureBootUEFI.dat downloader initially accesses StatCounter to identify infected devices. Subsequently, it fetches a malicious payload from Bitbucket, leveraging a unique device identifier encoded in the referrer.
The downloaded payload, Service.dat, is decoded and executed, while Service.dat further downloads and persists additional malicious components, cn.dat and sp.dat, using techniques like COM hijacking and Base64 decoding.
The execution of sp.dat is ultimately triggered by cn.dat, which may then lead to the beginning of additional malicious activities.
An analysis by JPCERT reveals the backdoor, identified as SpyGrace v3.1.6, uses a configuration file containing version information, which shares command types, RC4, and AES keys with SpyGrace v3.0 reported by ThreatBook CTI.
During initialization, SpyGrace performs several critical actions: it reads the configuration, creates a unique mutex (905QD4656:H) to prevent multiple instances, checks for network connectivity using api.ipfy.org, and executes any files with extensions .exe, .dat, .db, or .ext found in a specific directory (%appdata%\Microsoft\Vault\UserProfileRoaming).
Significantly, prior to the DllMain function being called, certain initialization steps make use of the initterm function of the CRT.
Recent campaigns leveraging malware similar to the current sample have been observed, as these attacks, targeting East Asian countries, including Japan and South Korea, exploit legitimate services like Bitbucket and StatCounter.
A common tactic employed is COM hijacking for persistence, as the discovery of decoy documents in the VHDX file’s trash folder further reinforces the connection between these campaigns and suggests a broader targeting scope.
