A new threat actor known as Actor240524 has been identified in a series of attacks targeting diplomats from Azerbaijan and Israel, with the objective of stealing sensitive data. The campaign was detected by NSFOCUS on July 1, 2024, and involved spear-phishing emails. These emails contained malicious Microsoft Word documents, which, once opened, prompted recipients to enable content that executed a macro leading to the installation of ABCloader, a malware loader. ABCloader decrypted and deployed the main malware, ABCsync, allowing the attackers to take control of infected systems.
ABCsync, the core malware used in this attack, has advanced evasion techniques that make it difficult to detect. It conducts a series of checks to determine if it’s running in a virtual machine or sandbox environment. If certain conditions, like low process counts, are met, the malware exits. This ensures that the attack remains concealed from security researchers. The malware’s primary functions include running commands via remote shells and exfiltrating system information, with strong encryption methods used to hide its activity.
The motivation behind these attacks seems to be related to the close political and economic ties between Azerbaijan and Israel. Actor240524 is likely attempting to exploit this relationship by targeting diplomatic personnel from both countries. The attackers aim to gather intelligence that could impact the cooperative efforts between Azerbaijan and Israel, indicating a sophisticated and well-planned operation.
Security experts warn that Actor240524’s techniques demonstrate a high level of skill, particularly in how they avoid detection. Organizations involved in sensitive political or diplomatic work should be on high alert, ensuring that their systems are protected from similar phishing campaigns. Regular security updates, enhanced email protection, and staff awareness training are key strategies to prevent these types of cyberattacks.
Reference:
