Full Report
The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack,
Analysis Summary
# Main Topic
Cyber espionage campaign attributed to threat actor APT-C-60 targeting an unnamed Japanese organization around August 2024, utilizing job application-themed lures to deliver the SpyGlace backdoor through abuse of legitimate cloud and collaboration services.
## Key Points
- The intrusion was identified by JPCERT/CC.
- The attack utilized a job application-themed spear-phishing email sent to a recruiting contact, purporting to be from a prospective employee.
- A notable TTP involves leveraging legitimate services (Google Drive, Bitbucket, and StatCounter) for command and control/payload delivery, often referred to as "living off the land" techniques.
- The campaign appears to be linked to previous activity where APT-C-60 exploited a Remote Code Execution vulnerability in WPS Office (CVE-2024-7262).
- The initial infection involved delivering a Virtual Hard Disk (.VHDX) file via Google Drive.
## Threat Actors
- **APT-C-60:** A cyber espionage group known to be aligned with South Korea and focused on targeting East Asian countries.
## TTPs
- **Initial Access/Delivery:** Phishing email containing a link to a malicious file hosted on Google Drive.
- **Execution Chain:**
1. Downloaded `.VHDX` file containing a decoy document and a Windows Shortcut file (`Self-Introduction.lnk`).
2. The LNK file executes the infection chain while displaying the decoy document to distract the user.
3. Execution of a downloader/dropper payload named `SecureBootUEFI.dat`.
4. **C2/Beaconing:** The dropper used **StatCounter** to exfiltrate a unique victim identifier (encoded from computer name, user name, and home directory) using the HTTP `Referer` field.
5. **Payload Retrieval:** The dropper accessed **Bitbucket** using the unique string to fetch the next stage payload (`Service.dat`).
6. `Service.dat` subsequently retrieved two more files (`cbmp.txt` and `icon.txt`, renamed to `cn.dat` and `sp.dat`) from a different Bitbucket repository.
7. **Persistence:** `Service.dat` ensured persistence for `cn.dat` on the compromised host.
- **Malware:** Delivery of the **SpyGlace** backdoor.
## Affected Systems
- An unnamed organization in **Japan**.
- **Software Context (Potential Initial Vulnerability):** The actor is associated with exploiting WPS Office for Windows (CVE-2024-7262) in related campaigns, suggesting this vector may have been relevant or used previously.
## Mitigations
- Scrutinize emails containing links to cloud storage services (Google Drive) requesting the download or mounting of virtual disk files (`.VHDX`).
- Implement enhanced monitoring for the execution of **LNK files** delivered via untrusted archives or documents.
- Monitor network egress traffic for unusual data appearing in the **HTTP Referer** header, specifically when communicating with legitimate third-party services like StatCounter, which could indicate covert beaconing by malware.
- Review and restrict access/use of files retrieved from external repositories (like Bitbucket) where potential malicious artifacts might be hidden or staged.
- Ensure protective measures against WPS Office vulnerabilities (like CVE-2024-7262) if applicable to the environment.
## Conclusion
This incident highlights APT-C-60's reliance on social engineering (job application lure) paired with sophisticated misuse of legitimate platforms (Google Drive, Bitbucket, StatCounter) to deploy their custom SpyGlace backdoor. Organizations, particularly those in East Asia, should prioritize security controls around atypical file types delivered via email (VHDX, LNK) and establish better visibility into potential C2 communications obscured within legitimate web service traffic headers.