Sunday, January 26, 2025
HomeCyber AttackNew APT Actor240524 Weaponizing Official Documents To Deliver Malware

New APT Actor240524 Weaponizing Official Documents To Deliver Malware

Published on

SIEM as a Service

Follow Us on Google News

A new APT group, dubbed Actor240524, launched a spear-phishing campaign targeting Azerbaijani and Israeli diplomats on July 1, 2024, where the attackers employed a malicious Word document containing Azerbaijani-language content disguised as official documentation to lure victims. 

The attack indicates a potential focus on disrupting the Azerbaijan-Israel relationship, as the group leverages new Trojan programs, ABCloader and ABCsync, to steal sensitive data and remains undetected through various countermeasures. 

Decoy Document Used by Actor 240524

An attack commences with a phishing document that, upon user interaction, executes embedded VBA code to decrypt and store a malicious payload as a seemingly benign .log file. 

It acts as a loader, performs environment checks, evades analysis, and decrypts additional payloads, including a DLL. Subsequently, it loads the DLL, establishing a connection to a C2 server for remote command execution and control. 

Exiting the Process After Detecting Analysis Behavior

The ABCloader and ABCsync Trojans employ robust anti-analysis measures. Critical components, including strings and API calls, are encrypted to hinder static and sandbox analysis. 

Additionally, the Trojans actively check the process environment for debugging indicators, such as the BeingDebugged flag and NtGlobalFlag, as well as leveraging NtQueryInformationProcess to identify debugging states, thus thwarting dynamic analysis attempts. 

The techniques aim to identify debugging environments by analyzing system characteristics and process attributes.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Hardware breakpoint detection, screen resolution analysis, process count enumeration, and permission verification collectively assess the execution context for anomalies indicative of virtualized or sandboxed environments. 

Enumerating All Monitors in the System

The attack payloads “ABCloader” and “ABCsync” employ anti-debugging measures, encrypted communication, and registry manipulation to establish persistence and remote control, suggesting an advanced, under-development threat actor. 

While the Trojan, ABCsync, uses UDP for encrypted communication with a C2 server, employing AES-256 CBC for data protection. 

It executes remote shells, manipulates files, and exfiltrates data through pipe communication, receiving command-based instructions from the C2, which exhibits characteristics of a work-in-progress with detailed, sequential commands suggesting a complex control end. 

According to NSFOCUS Security Labs, by leveraging system information, it establishes pipes for shell execution, reads and writes files, and includes error handling and system version detection mechanisms.

System Registry Operations

A malicious actor employs a multi-stage attack. synchronize.exe, a loader similar to ABCloader, removes its own encryption for persistence. vcruntime190.dll and vcruntime220.dll hijack legitimate system components, LanguageComponentsInstaller.dll and Windows.UI.FileExplorer.dll, respectively, to execute synchronize.exe, ensuring its continued presence. 

The decoy document, iden.doc, with hash 1ee73b17111ab0ffb2f62690310f4ada, likely serves as an initial infection vector, while the C2 server, 185.23.253.143:36731, is the command-and-control endpoint for further malicious operations. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...