Friday, April 4, 2025
HomeCyber AttackAPT-C-60 Attacking HR Department With Weaponized Resumes

APT-C-60 Attacking HR Department With Weaponized Resumes

Published on

SIEM as a Service

Follow Us on Google News

APT-C-60 launched a phishing attack in August 2024, targeting domestic organizations with malicious emails disguised as job applications.

These emails, sent to recruitment departments, contained malware designed to compromise systems and potentially steal sensitive data. 

The attack leverages a targeted phishing email to distribute a malicious VHDX file hosted on Google Drive.

Once mounted, the VHDX file releases an LNK file, which likely executes malicious code upon interaction, compromising the victim’s system.

Contents of VHDX file

The LNK file triggers a malicious script that executes the legitimate git.exe to launch a downloader named SecureBootUEFI.dat, which persists on the system by hijacking a COM interface and registers itself to be executed automatically.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

SecureBootUEFI.dat malware initially contacts StatCounter to identify infected devices based on unique device information.

Subsequently, it downloads a malicious payload from Bitbucket, exploiting a unique URL path derived from device-specific data, and executes it locally.

The Service.dat malware downloads and decodes two files from a different Bitbucket repository, which are then persisted to the user’s font directory using Base64 and XOR encryption, and subsequently through COM interface hijacking. 

Service.dat persistence

A backdoor named SpyGrace v3.1.6 confirms its existence through version information and matching elements like command type and encryption keys with previously reported v3.0.

Backdoor initialization begins by loading configuration data, establishing a mutex (905QD4656:H) to prevent duplicate instances, and verifying network connectivity with api.ipfy.org. 

SecureBootUEFI.dat communication flow

Finally, it locates and executes specific file types (.exe, .dat, .db, and .ext) within the user’s roaming profile directory (%appdata%\Microsoft\Vault\UserProfileRoaming).

Through its execution prior to the DllMain function, the initterm function of the CRT pre-processed the initialization phase, thereby having an effect on the initial state of the DLL.

According to JPCERT, recent malware campaigns, leveraging services like Bitbucket and StatCounter, have employed COM hijacking for persistence, which, similar to those targeting East Asian nations, suggests a broader threat landscape involving sophisticated techniques and potential espionage motives.

The attack, targeting East Asia, leverages legitimate services like Bitbucket and StatCounter to deliver malicious payloads as the attack’s tactics and techniques, including the used samples and command-and-control infrastructure.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security...

Apache Traffic Server Flaw Allows Request Smuggling Attacks

A critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching...

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces...

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic,...

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware...