Operation DevilTiger: APT Hackers’ 0-Day Exploitation Tactics Revealed

APT-Q-12 employs periodic probe emails with varying body content to collect user-agent information and determine victim email brands and platforms by mimicking legitimate content to evade detection while secretly gathering data for tailored zero-day exploitation.

It differentiated between wps and word by embedding a web control in mhtml files. When opened in WPS, the web control triggered a request to a C2 probe. However, Microsoft Word’s disabled web control prevented this from happening.

The attackers employ a multilayered decoy document to evade sandbox detection. The C2 probe link is requested only after user interaction, differentiating Microsoft Word from WPS, which is shared among APT groups to inform future 0day attacks, highlighting the importance of robust security measures against targeted attacks.

The email employs a multifaceted attack vector, leveraging XSS vulnerabilities and internal interface exploitation. By tricking the user into opening the email, the attacker executes malicious JavaScript code. 

This code accesses a hidden image resource, which is actually a Base64-encoded LNK file, which is downloaded and executed, ultimately launching a rundll32 process to execute a malicious function that aims to gain unauthorized access to the user’s system.

The attack leverages a compromised website’s XSS vulnerability to deliver a Trojan disguised as a MUI file and then downloads a second stage payload and injects it into a legitimate system file (MMDevAPI.mui) for persistence and remote control.  

APT-Q-12 employs a multi-stage attack, utilizing keyloggers, browser steganography, tunneling tools, and screenshot plugins. The group distributes these plugins via PowerShell, encrypts sensitive data, and exfiltrates it using reverse tunneling as their primary targets are intelligence related to semiconductor competition and political propaganda in Northeast Asia.

The 0-day vulnerability in Android’s mail client, exploited by APT-Q-14, allowed attackers to remotely execute malicious code on affected devices. The attack involved sending a specially crafted email with an attached APK, which would exploit a vulnerability in the mail client to execute code. 

This code would then connect to a command and control server, download additional payloads, and steal sensitive data from the device where the attackers were specifically targeting information related to trade between China and North Korea.

The QiAnXin Threat Intelligence Center provides threat intelligence data used to detect malicious Indicators of Compromise (IOCs) including MD5 hashes, URLs, and C2 server addresses.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here