APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.

That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.

"In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said.

APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that's known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace.

The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Google Drive, a virtual hard disk drive (VHDX) file, which, when downloaded and mounted, includes a decoy document and a Windows shortcut ("Self-Introduction.lnk").

The LNK file is responsible for triggering the subsequent steps in the infection chain, while also displaying the lure document as a distraction.

This entails launching a downloader/dropper payload named "SecureBootUEFI.dat" which, in turn, uses StatCounter, a legitimate web analytics tool, to transmit a string that can uniquely identify a victim device using the HTTP referer field. The string value is derived from the computer name, home directory, and the user name and encoded.

The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as "Service.dat," which downloads two more artifacts from a different Bitbucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively.

"Service.dat" also persists "cn.dat" on the compromised host using a technique called COM hijacking, after which the latter executes the SpyGlace backdoor ("sp.dat").

The backdoor, for its part, establishes contact with a command-and-control server ("103.187.26[.]176") and awaits further instructions that allow it to steal files, load additional plugins, and execute commands.

It's worth noting that cybersecurity firms Chuangyu 404 Lab and Positive Technologies have independently reported on identical campaigns delivering the SpyGlace malware, alongside highlighting evidence pointing to APT-C-60 and APT-Q-12 (aka Pseudo Hunter) being sub-groups within the DarkHotel cluster.

"Groups from the Asia region continue to use non-standard techniques to deliver their malware to victims' devices," Positive Technologies said. "One of these techniques is the use of virtual disks in VHD/VHDX format to bypass the operating system's protective mechanisms."