Overview
In an evolving landscape of cybersecurity threats, a new advanced persistent threat (APT) group, dubbed Actor240524, has emerged with a series of sophisticated cyberattacks targeting Azerbaijan and Israel. Discovered by NSFOCUS Security Labs (NSL), this new group utilized a blend of novel tactics and malware to infiltrate diplomatic circles, focusing on stealing sensitive governmental data. Unlike other known APT groups, Actor240524’s attack techniques do not directly align with any existing cyber threat groups, marking this as a unique and concerning development in the world of cyber espionage. Their first major campaign took place on July 1, 2024, and targeted diplomatic personnel with spear-phishing attacks.
Actor240524’s modus operandi is centered around social engineering and exploiting common office tools to deliver their payload. The attackers used a malicious Word document, seemingly official in nature, as the bait. The document, titled “iden.doc,” contained blurry images designed to mimic official Azerbaijani government materials, including images of the national emblem, cabinet building, and administrative personnel. When a victim opened the document, they were prompted to click “Enable Content,” triggering the embedded VBA macro code. This macro functioned as a conduit to deploy a series of malicious executable files onto the system, marking the first step of a highly orchestrated attack.
Common targets
Public Administration
Israel
Azerbaijan
Attack Vectors
Phishing
How they operate
At the heart of Actor240524’s attack strategy is the social engineering tactic, which relies on deceiving the victim into executing malicious content. The group begins its attack with a spear-phishing email, which contains a malicious Word document. This document, disguised as an official Azerbaijani government file, contains blurry images designed to mislead the target into thinking it is an authentic piece of communication. The images within the document are structured to appear official, showcasing the Azerbaijani national emblem, government buildings, and personnel listings, making it highly convincing to the victim. Once the victim opens the document and is prompted to click “Enable Content,” the VBA macro code embedded in the document is triggered, leading to the initial phase of the attack.
The macro embedded within the Word document plays a critical role in the attack’s execution. Upon activation, the macro code decrypts the malicious payload hidden inside the document and stores it in a specific location on the victim’s system, typically in the folder C:\Users\Public\Documents. The file, labeled MicrosoftWordUpdater.log, is designed to confuse the victim into thinking it is a harmless log file. In reality, this is an executable file, and it serves as the initial loader for the malware. Once this file is executed, it begins the process of decrypting and launching additional malicious payloads, namely ABCloader and ABCsync.
The ABCloader component is the first significant stage of the infection. Its primary function is to identify the operating environment and ensure the system is not a virtual machine or sandbox designed for malware analysis. ABCloader does this by running a series of checks, including examining the hardware environment for breakpoints and detecting the number of active processes. If these checks reveal that the system is under analysis, the loader halts its operation to avoid detection. If the environment passes these tests, ABCloader proceeds by decrypting and loading the next stage, ABCsync.
ABCsync is the core of the
Actor240524 attack. Once deployed, it establishes a connection with the attacker’s Command and Control (C2) server, allowing the attackers to issue remote commands and control the compromised system. This communication channel is designed to be stealthy, avoiding traditional detection methods used by security tools. The attacker can then use ABCsync to exfiltrate data, manipulate files, or even install additional malware onto the system. One of the most notable features of ABCsync is its ability to operate in memory, meaning it leaves minimal traces on the disk, making detection even more challenging.
Additionally, Actor240524 has integrated several advanced anti-analysis techniques within both ABCloader and ABCsync. These techniques include API-level encryption, which prevents security tools from easily analyzing the malicious code, and screen resolution detection, which helps the malware determine if it is being run in an environment where it might be monitored. Actor240524 also uses process count detection to check if the number of running processes aligns with typical user behavior, signaling whether the malware is under scrutiny. These layered evasion techniques significantly enhance the group’s ability to avoid detection by both automated systems and human analysts.
Moreover, Actor240524 has exhibited a high level of operational security. The group takes measures to ensure their activities remain hidden even after the malware has been installed on the victim’s system. For example, once the attack is complete, ABCsync ensures that the malware communicates with the C2 server in a manner that avoids triggering network-based detection tools, using techniques such as encrypted communication channels and frequent communication intervals to mask its presence.
In conclusion, Actor240524’s technical sophistication underscores the evolving nature of modern cyber threats. Their use of social engineering tactics, combined with a multi-stage payload that includes sophisticated loaders, anti-analysis checks, and encrypted communications, makes them a formidable adversary. As the threat landscape continues to evolve, organizations must enhance their cybersecurity defenses, adopting proactive threat hunting, advanced malware detection systems, and endpoint security solutions to counter the advanced techniques employed by groups like Actor240524. Understanding the technical operations of such threat actors is crucial to developing effective defenses against the next generation of APT campaigns.
