Skip to main content

Command Palette

Search for a command to run...

APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign

Published
3 min readView as Markdown
APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

_Nov 27, 2024_Ravie LakshmananMalware / Cyber Espionage

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.

That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.

"In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said.

APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that's known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace.

The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file, which, when downloaded and mounted, includes a decoy document and a Windows shortcut ("Self-Introduction.lnk").

The LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.

This entails launching a downloader/dropper payload named "SecureBootUEFI.dat" which, in turn, uses StatCounter, a legitimate web analytics tool, to transmit a string that can uniquely identify a victim device using the HTTP referer field. The string value is derived from the computer name, home directory, and the user name and encoded.

The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as "Service.dat," which downloads two more artifacts from a different Bitbucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively.

"Service.dat" also persists "cn.dat" on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor ("sp.dat").

The backdoor, for its part, establishes contact with a command-and-control server ("103.187.26[.]176") and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.

It's worth noting that cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups within the DarkHotel cluster.

"Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims' devices," Positive Technologies said. "One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system's protective mechanisms."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

SHARE

__Tweet

__Share

__Share

__Share

__Share on Facebook __Share on Twitter __Share on Linkedin __Share on Reddit __Share on Hacker News __Share on Email __Share on WhatsApp Share on Facebook Messenger __Share on Telegram

SHARE

BitBucketCyber Attackcyber espionagecybersecurityGoogle driveMalwarephishing attackSpyGlaceWPS Office

1 views

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com