# APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign

__Nov 27, 2024__Ravie LakshmananMalware / Cyber Espionage

[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVePfTaA5W5y5-av8VXtnFpAVSwZftCD3IFQHQn-8UUYz0QkSlcYXBWISChY_kimIMkxekkf1nVOjxgtKXAhHpZ-XFYG9CYPBaDUsn7O7797D25TijL2A-HWn0_FBzdcJw6xxk3T0f4n-_DmbJJ0N1HYWnsC5fbnRijnba0ZgYsZJSCdtU-TtUfNTQwhBX/s728-rw-e365/cyberattack.png)

The threat actor known as **APT-C-60** has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.

That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.

"In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency [said](https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html).

APT-C-60 is the moniker [assigned](https://thehackernews.com/2024/08/apt-c-60-group-exploit-wps-office-flaw.html) to a South Korea-aligned cyber espionage group that's known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace.

[](https://thehackernews.uk/zerotrust-inside-d)

The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file, which, when downloaded and mounted, includes a decoy document and a Windows shortcut ("Self-Introduction.lnk").

The LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.

This entails launching a downloader/dropper payload named "SecureBootUEFI.dat" which, in turn, uses StatCounter, a legitimate web analytics tool, to transmit a string that can uniquely identify a victim device using the [HTTP referer field](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer). The string value is derived from the computer name, home directory, and the user name and encoded.

[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVlh7woAV2GFsaaH6j2daXFoaOm4_tLDd0NBE6PpbSsn4ZmpHgJRQYun9RLKc6AoRTzq3gx_E9ggwWYfLyeM-HO4LpvEHB-N-lEUVOmyespwOcwnFhWYsmeokOw70WGsomEUCZ545QCcYaGPTxZQs8TZrEbYYxVeneqEEYmPPyOaj1i_FNIOdzpGX56K9B/s728-rw-e365/drive.png)

The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as "Service.dat," which downloads two more artifacts from a different Bitbucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively.

"Service.dat" also persists "cn.dat" on the compromised host using a technique called [COM hijacking](https://attack.mitre.org/techniques/T1546/015/), after which the latter executes the SpyGlace backdoor ("sp.dat").

The backdoor, for its part, establishes contact with a command-and-control server ("103.187.26\[.\]176") and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.

[](https://thehackernews.uk/gartner-endpoint-protection-d-v1)

It's worth noting that cybersecurity firms [Chuangyu 404 Lab](https://mp.weixin.qq.com/s/qsgzOg-0rZfXEn4Hfj9RLw) and [Positive Technologies](https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques) have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and [APT-Q-12](https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/) (aka Pseudo Hunter) being sub-groups within the [DarkHotel](https://thehackernews.com/2022/03/south-korean-darkhotel-hackers-targeted.html) cluster.

"Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims' devices," Positive Technologies said. "One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system's protective mechanisms."

  

Found this article interesting? Follow us on [Twitter __](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.

SHARE [__](https://thehackernews.com/#link_share) [__](https://thehackernews.com/#link_share) [__](https://thehackernews.com/#link_share) __

[__Tweet](https://thehackernews.com/#link_share)

[__Share](https://thehackernews.com/#link_share)

[__Share](https://thehackernews.com/#link_share)

__Share

__ [__Share on Facebook](https://thehackernews.com/#link_share) [__Share on Twitter](https://thehackernews.com/#link_share) [__Share on Linkedin](https://thehackernews.com/#link_share) [__Share on Reddit](https://thehackernews.com/#link_share) [__Share on Hacker News](https://thehackernews.com/#link_share) [__Share on Email](https://thehackernews.com/#link_share) [__Share on WhatsApp](https://thehackernews.com/#link_share) [Share on Facebook Messenger](https://thehackernews.com/#link_share) [__Share on Telegram](https://thehackernews.com/#link_share)

SHARE __

[BitBucket](https://thehackernews.com/search/label/BitBucket)[Cyber Attack](https://thehackernews.com/search/label/Cyber%20Attack)[cyber espionage](https://thehackernews.com/search/label/cyber%20espionage)[cybersecurity](https://thehackernews.com/search/label/cybersecurity)[Google drive](https://thehackernews.com/search/label/Google%20drive)[Malware](https://thehackernews.com/search/label/Malware)[phishing attack](https://thehackernews.com/search/label/phishing%20attack)[SpyGlace](https://thehackernews.com/search/label/SpyGlace)[WPS Office](https://thehackernews.com/search/label/WPS%20Office)
