In August 2024, the South Korea-aligned cyber espionage group APT-C-60 executed a targeted attack on an unnamed organization in Japan, leveraging the SpyGlace backdoor to infiltrate its systems. The campaign was launched through a phishing email that posed as a job application, a tactic frequently used by APT-C-60 to lure victims into downloading malicious content. The email contained a link to a VHDX file hosted on Google Drive, which when downloaded and mounted, appeared to contain a decoy document but also harbored a malicious Windows shortcut.
The shortcut, once triggered, initiated the infection chain by executing a downloader payload named “SecureBootUEFI.dat.” This downloader utilized StatCounter, a legitimate web analytics service, to send unique system identifiers derived from the victim’s computer name, user name, and home directory. This encoded string allowed the malware to access Bitbucket, where it retrieved the next stage of the attack—a file named Service.dat. This file, in turn, deployed additional malicious artifacts on the victim’s machine, including cn.dat and sp.dat, the latter of which contained the SpyGlace backdoor.
The SpyGlace backdoor established communication with a command-and-control server, enabling attackers to execute commands remotely, steal sensitive files, and load additional malicious plugins onto the infected system. APT-C-60 used COM hijacking techniques to ensure persistence and enable the execution of SpyGlace even after the initial infection. The use of legitimate services like Google Drive, Bitbucket, and StatCounter allowed the attackers to circumvent traditional security defenses, making the attack harder to detect and analyze.
Cybersecurity researchers from Chuangyu 404 Lab and Positive Technologies have independently linked this campaign to APT-C-60, also connecting it to other groups within the DarkHotel cluster. These findings reinforce the growing trend of using non-standard delivery methods, such as VHDX files and virtual disk formats, to bypass security mechanisms. This campaign serves as a stark reminder of the increasing sophistication of cyber espionage techniques, emphasizing the need for organizations to stay vigilant and implement advanced threat detection systems to protect against evolving cyber threats.
