APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack against organizations in Japan, believed to have been conducted by the cyber espionage group APT-C-60.

The attackers used phishing techniques, masquerading as a job applicant to infiltrate the victim’s system and deploy advanced malware.

Details of the Attack: Initial Penetration via Phishing

The attack began with a targeted phishing email sent to the recruitment contact point of the targeted organization.

The email contained a Google Drive link that, when accessed, led to the download of a malicious VHDX file (a virtual hard disk format).

Upon mounting the VHDX file, it revealed several components, including decoy documents and an LNK file titled “Self-Introduction.lnk.”

This shortcut file leveraged the legitimate executable file git.exe to execute a script (IPML.txt).

The IPML.txt script performed multiple actions, such as:

• Opening a decoy document to avoid raising suspicion.
• Creating a downloader file named SecureBootUEFI.dat.
• Establishing persistence through COM hijacking (modifying the COM interface ID F82B4EF1-93A9-4DDE-8015-F7950A1A6E31).

This downloader subsequently communicated with the legitimate cloud services Bitbucket and StatCounter, highlighting the attackers’ strategy of abusing trusted platforms.

Downloader Analysis

The downloader (SecureBootUEFI.dat) showcased the following behavior:

1. Device Identification: The malware first connected to StatCounter to transmit unique device information, including the computer name, user name, and home directory. The attackers encoded this information using an XOR cipher and included it in the StatCounter referrer URL.
2. Fetching Secondary Payload: SecureBootUEFI.dat then contacted Bitbucket to download a malicious file, Service.dat, using the encoded device identifier to locate the payload. This file was saved and executed in the Windows Shell directory.

The Service.dat downloader continued the infection chain by retrieving two additional payloads (cbmp.txt and icon.txt) from another Bitbucket repository.

These files were decoded and saved as cn.dat and sp.dat, then deployed using further COM hijacking techniques.

The final payload, a backdoor malware known as SpyGrace (version 3.1.6), was deployed to give attackers continued access to the compromised system.

The malware demonstrates several sophisticated tactics, including checking network connectivity, executing malicious files within specific system directories, and employing advanced programming techniques, such as using the initterm function, to evade detection tools effectively.

Connections to Previous Campaigns

This attack shares similarities with campaigns observed from August to September 2024, targeting organizations across Japan, South Korea, and China.

Reports from security vendors identified a pattern of abuse of legitimate services like Bitbucket and StatCounter, as well as persistence through COM hijacking.

Decoy documents found in the recycle bin of the VHDX file indicate the attackers tailored their phishing emails for these regions.

SOC and DFIR teams can collect the indicators of compromise at the bottom of the detailed technical report.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free