A sophisticated cyber assault by the threat group APT-C-60 has recently targeted an unnamed Japanese organization, exploiting a vulnerability in WPS Office to deploy the SpyGlace backdoor. This attack occurred in August 2024, leveraging job application-themed phishing tactics to infiltrate the system, as reported by JPCERT/CC.

Attack Methodology

The breach involved phishing emails mimicking job applications, directed at the organization's recruitment team. These emails contained links to files hosted on Google Drive, facilitating the malware's entry.

Technical Exploit

APT-C-60, believed to be aligned with South Korea, took advantage of a remote code execution flaw in WPS Office for Windows (identified as CVE-2024-7262), effectively introducing and deploying the SpyGlace backdoor.

Infection Process

Once the phishing email link was accessed, it downloaded a virtual hard disk drive (VHDX) file. This file, upon mounting, presented a decoy document alongside a Windows shortcut, "Self-Introduction.lnk," which commenced the infection process.

Payload Mechanics

The shortcut initiated a downloader, "SecureBootUEFI.dat," which used StatCounter to send a uniquely encoded identifier of the victim via the HTTP referer. Subsequent stages involved retrieving "Service.dat" from Bitbucket, which continued the malware deployment process by downloading additional files ("cn.dat" and "sp.dat") necessary for the backdoor's operation.

Backdoor Functionality

By executing "sp.dat," SpyGlace established a connection with its command-and-control server at "103.187.26[.]176," awaiting directives such as file theft, plugin loading, and command executions.

Cybersecurity entities, including Chuangyu 404 Lab and Positive Technologies, have corroborated these findings, linking APT-C-60 and APT-Q-12 (also known as Pseudo Hunter) to the larger DarkHotel collective. This campaign underscores the persistent use of unconventional tactics by Asian cyber groups, notably utilizing virtual disk formats like VHD/VHDX to circumvent security protections.

The link has been copied!