Full Report
APT-C-60 targets Japan with phishing emails, using job application ruse and malware via Google Drive
Analysis Summary
# Threat Actor: APT-C-60
## Attribution & Identity
* **Attribution:** Suspected to be orchestrated by the threat group APT-C-60.
* **Aliases:** No other specific aliases provided in the context, though the final payload was identified by ESET researchers as SpyGrace (version 3.1.6).
## Activity Summary
* **Historical Activities:** Evidence links this campaign to other observed campaigns in East Asia during August and September 2024.
* **Recent Campaigns (First identified in August 2024):** A cyber-attack targeting Japanese, South Korean, and Chinese organizations. The attack was initiated via spear-phishing emails disguised as job applications, targeting recruitment departments.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Phishing emails delivering malicious links hosted on legitimate platforms (Google Drive).
* **Execution:** Downloading a VHDX file (virtual disk format), which contained a malicious LNK shortcut file (`Self-Introduction.lnk`). This executed a payload using a legitimate executable (`git.exe`).
* **Malware Staging:** Generated a downloader named `SecureBootUEFI.dat`.
* **C2/Exfiltration:** Communication via legitimate services:
* StatCounter (used to identify infected devices via unique encoded data like computer names).
* Bitbucket (used to retrieve and execute additional payloads).
* **Persistence:** Achieved persistence via a **COM hijacking technique**.
* **Obfuscation:** Used encoded data strings in URLs and XOR keys to obfuscate communication and payload operations.
* **Payload Execution:** The final backdoor payload (SpyGrace v3.1.6) uses `initterm` functions to execute malicious operations before the main program starts.
* **MITRE ATT&CK IDs:** Not explicitly provided in the source text, but techniques involve **Initial Access (Phishing), Execution via Trusted Processes (git.exe), Defense Evasion (Abusing Legitimate Services), and Persistence (COM Hijacking)**.
## Targeting
* **Sectors:** Not explicitly named beyond the generalized targeting of organizations via recruitment channels.
* **Geography:** Japan, South Korea, and China.
* **Victims:** Recruitment departments within targeted organizations.
## Tools & Infrastructure
* **Malware Families used:** SpyGrace (Backdoor, version 3.1.6).
* **Infrastructure (C2, domains, IPs):**
* Delivery/Hosting: Google Drive
* C2/Retrieval: StatCounter, Bitbucket
* Files utilized: VHDX file, `Self-Introduction.lnk`, `git.exe` (legitimate executable abused), `SecureBootUEFI.dat` (downloader).
## Implications
The actor demonstrates a sophisticated shift toward abusing trusted, legitimate services (Google Drive, StatCounter, Bitbucket) for delivery and C2 communication, increasing the difficulty for traditional security controls to flag the traffic. The use of VHDX container files and COM hijacking indicates a determined adversary capable of advanced persistence techniques.
## Mitigations
* Monitor and scrutinize recruitment channels for suspicious communications.
* Scrutinize unsolicited links, especially those leading immediately to file downloads from cloud storage services.
* Deploy advanced threat detection mechanisms capable of monitoring behaviors like LNK file execution leveraging legitimate system binaries (`git.exe`).
* Implement robust controls against known persistence techniques, specifically monitoring for COM hijacking due to its utilization in this campaign.