In August 2024, a sophisticated cyber attack targeted a Japanese organization, leveraging legitimate services to deliver and control malware. The attack, attributed to the advanced persistent threat group APT-C-60, highlights the evolving tactics of cybercriminals who exploit trusted platforms to evade detection. This article provides an in-depth analysis of the attack, its methods, and offers practical advice for cybersecurity professionals to mitigate such threats.

The Anatomy of the APT-C-60 Attack

Initial Penetration

The attack began with a targeted phishing email disguised as a job application. The email directed the recipient to download a file from a Google Drive link. This file, in VHDX format, contained malicious LNK files and decoy documents. When the LNK file, named Self-Introduction.lnk, was executed, it leveraged the legitimate git.exe to run a malicious script

Malware Deployment

The script created a downloader named SecureBootUEFI.dat, which was made persistent through COM hijacking. This technique involved registering the path to SecureBootUEFI.dat in the system’s COM interface, ensuring the malware remained active even after system reboots

Communication and Control

SecureBootUEFI.dat accessed StatCounter to gather information about the infected device. It then uploaded its downloader to Bitbucket, where subsequent payloads were hosted. The use of legitimate platforms like StatCounter and Bitbucket not only masked the attack’s intent but also complicated detection efforts

Payload Execution

The malware downloaded additional payloads from Bitbucket, which were encoded and stored on the infected system. These payloads included a backdoor component identified as SpyGrace v3.1.6. This backdoor exhibited advanced capabilities, such as network connectivity checks, execution of files in sensitive directories, and secure communication with command-and-control (C2) servers using encryption keys

Detailed Analysis of the Malware: Downloader Behavior

SecureBootUEFI.dat accessed legitimate services like Bitbucket and StatCounter to manage its operations. The initial communication with StatCounter allowed the attacker to verify the infected device. The downloader then accessed Bitbucket to retrieve and execute additional payloads, ensuring persistence through COM hijacking

Backdoor Capabilities

The SpyGrace backdoor used in this attack was configured to perform various malicious activities, including:

• Checking network connectivity.
• Executing files in specific directories.
• Using RC4 and AES encryption for secure communication with C2 servers12.

Campaigns and Targets

From August to September 2024, similar attacks were reported in East Asian countries, including Japan, South Korea, and China. These campaigns shared common features, such as the abuse of legitimate services and malware persistence through COM hijacking

10 Tips to Avoid Future Threats

1. Email Filtering: Implement advanced email filtering to detect and block phishing emails.
2. User Training: Regularly train employees to recognize and report phishing attempts.
3. Network Segmentation: Isolate critical systems from general network traffic to limit the spread of malware.
4. Endpoint Protection: Deploy endpoint protection solutions to detect and block malicious activities.
5. Regular Updates: Ensure all software and systems are up-to-date with the latest security patches.
6. Access Controls: Implement strict access controls to limit user permissions and reduce the risk of unauthorized access.
7. Intrusion Detection Systems (IDS): Use IDS to monitor network traffic for suspicious activities.
8. Data Encryption: Encrypt sensitive data to protect it from unauthorized access.
9. Incident Response Plan: Develop and regularly update an incident response plan to quickly address and mitigate the impact of an attack.
10. Regular Backups: Maintain regular backups of critical data and systems to ensure quick recovery in case of an attack.

Conclusion

The APT-C-60 attack underscores the need for vigilance and robust cybersecurity measures. By exploiting legitimate services, cybercriminals can evade detection and cause significant damage. Understanding the tactics used in such attacks and implementing comprehensive security strategies are essential steps in protecting against these evolving threats.

Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!