Attack Group APT-C-60 Targets Japan Using Trusted Platforms

Written by

A cyber-attack targeting Japanese and other East Asian organizations, suspected to be orchestrated by the threat group APT-C-60, has been uncovered.

First identified in August 2024, the attack involved phishing emails disguised as job applications to infiltrate recruitment departments, introducing malware via malicious links hosted on legitimate platforms such as Google Drive.

Attack Chain and Techniques

According to a new advisory published by JPCERT on Tuesday, the attack began with a phishing email containing a Google Drive link.

This link downloaded a VHDX file – a virtual disk format – onto the victim’s system. Inside the file, a malicious LNK shortcut file labeled Self-Introduction.lnk executed a payload using a legitimate executable, git.exe. Additionally, the payload generated a downloader, SecureBootUEFI.dat, and achieved persistence through a COM hijacking technique.

Further analysis revealed that the downloader connected to two legitimate services:

  • StatCounter, for identifying infected devices using unique encoded data like computer names

  • Bitbucket, to retrieve and execute additional payloads

The malware used encoded data strings in URLs and XOR keys to obfuscate its communication and payload operations.

Backdoor and Persistence Mechanisms

The final payload, first identified as SpyGrace by ESET researchers in August, is a backdoor malware. This variant, version 3.1.6, is initialized by executing multiple commands, including verifying network connectivity and launching files from specific directories.

The backdoor also employs advanced techniques, such as using initterm functions to execute malicious operations before the primary program starts.

Read more on hijacking techniques: Israeli Aircraft Survive “Cyber-Hijacking” Attempts

Regional Implications and Broader Campaign

Evidence suggests this campaign targeted organizations in Japan, South Korea and China. The use of decoy documents in the VHDX files aligns with other campaigns observed in East Asia between August and September 2024.

These campaigns consistently exploit legitimate services like Bitbucket for malware delivery and use sophisticated persistence techniques, highlighting the evolving tactics of APT-C-60.

According to JPCERT, this campaign demonstrates the risks posed by cybercriminals abusing trusted services. Organizations are urged to monitor recruitment channels, scrutinize unsolicited links and deploy advanced threat detection mechanisms to mitigate similar risks.

What’s hot on Infosecurity Magazine?