APT-C-60 Targets Japan with SpyGlace Backdoor via Job Application Phishing

A South Korea-aligned threat actor, APT-C-60, has been linked to a cyber espionage attack targeting an unnamed organization in Japan. The attackers used a job application-themed phishing email to deliver the SpyGlace backdoor, exploiting legitimate services like Google Drive, Bitbucket, and StatCounter.

The attack, which occurred in August 2024, is part of a broader trend of cyberattacks leveraging innovative methods to evade detection, as reported by JPCERT/CC.

Attack Chain Details

The attack began with a phishing email masquerading as a job applicant. It contained a link to a file hosted on Google Drive, which led to the download of a VHDX file. Once mounted, the file included:

1. A decoy document.
2. A malicious Windows shortcut (Self-Introduction.lnk).

The LNK file triggered a series of steps in the infection chain, displaying the decoy document as a distraction while deploying a downloader payload named SecureBootUEFI.dat.

Techniques and Tools Used

1. StatCounter: Used to transmit a unique victim identifier derived from device attributes like computer name, user name, and home directory.
2. Bitbucket: Accessed with the encoded string to download additional payloads, including:

1. Service.dat: Acts as a downloader and persistence mechanism via COM hijacking.
2. Artifacts like cbmp.txt and icon.txt, renamed as cn.dat and sp.dat.

3. SpyGlace Backdoor:

1. Initiates communication with a command-and-control (C2) server (103.187.26[.]176).
2. Capabilities include stealing files, executing commands, and loading plugins.

Broader Connections

The attack exploited a remote code execution (RCE) vulnerability in WPS Office for Windows (CVE-2024-7262). The campaign aligns with previous observations of APT-C-60 activity and hints at links with other sub-groups like APT-Q-12 (Pseudo Hunter) within the DarkHotel cluster.

Positive Technologies noted that attackers from Asia are increasingly using virtual disks (VHD/VHDX) to bypass protective mechanisms, a non-standard yet effective delivery method.

Mitigation Recommendations

To defend against attacks like these:

1. Educate employees about phishing risks, especially recruitment-related scams.
2. Use endpoint security solutions capable of detecting malicious shortcut files.
3. Regularly update software and patch known vulnerabilities, such as CVE-2024-7262.
4. Monitor for unauthorized access to services like Google Drive and Bitbucket.

This attack highlights the sophistication and persistence of regional threat groups like APT-C-60, leveraging legitimate services and advanced techniques to bypass defenses. Organizations should prioritize comprehensive cybersecurity measures to stay resilient against evolving threats.