South Korean Hackers Deploy Stealthy SpyGlace Malware Using Popular Web Services to Target Japan

South Korean Hackers Deploy Stealthy SpyGlace Malware Using Popular Web Services to Target Japan

APT-C-60 Launches Sophisticated Cyber Attack Against Japanese Organization

A significant cyber espionage operation targeting a Japanese organization has been uncovered by JPCERT/CC in August 2024. The attack was attributed to APT-C-60, a South Korea-aligned threat group, who executed their operation through a carefully crafted job application phishing campaign.

The attackers employed a multi-stage attack strategy, initially distributing malware through Google Drive links. The payload consisted of a VHDX virtual hard disk file containing a decoy document and a malicious Windows shortcut file. The operation’s infrastructure cleverly utilized legitimate services including Google Drive, Bitbucket, and StatCounter for analytics tracking.

At the heart of the attack was the SpyGlace backdoor, a sophisticated malware capable of file theft, plugin loading, remote command execution, and establishing persistence through COM hijacking techniques. The threat actors also exploited a vulnerability (CVE-2024-7262) in WPS Office software.

APT-C-60, known for targeting East Asian nations and its connection to the DarkHotel cyber espionage group, demonstrated advanced evasion capabilities through the use of virtual disk formats. This incident highlights the growing trend of state-aligned threat actors leveraging legitimate services to circumvent traditional security measures.

The attack serves as a stark reminder of the evolving cyber threat landscape in East Asia and the sophisticated techniques employed by modern cyber espionage groups.

Share This Article