SpyGlace (Backdoor) – Malware

Overview

SpyGlace is a sophisticated malware strain that has garnered attention for its involvement in high-profile cyber-espionage campaigns. Initially uncovered during an investigation into the activities of APT-C-60, a cyber threat group believed to be aligned with South Korea, SpyGlace represents a significant evolution in the tactics, techniques, and procedures (TTPs) employed by advanced persistent threats (APTs). This malware is designed to operate covertly, maintaining a low profile while exfiltrating sensitive information from compromised targets, often from specific geopolitical regions of interest.

The malware was found to be deployed through a weaponized vulnerability in WPS Office for Windows, a popular office suite with over 500 million active users worldwide. By exploiting an arbitrary code execution flaw (CVE-2024-7262), SpyGlace was able to establish a foothold on victim systems, facilitating the installation of its payload without detection. The group behind SpyGlace, APT-C-60, strategically leveraged this exploit to infiltrate organizations across East Asia, emphasizing the targeted nature of the attack. Through this sophisticated method of delivery, SpyGlace was able to bypass conventional defenses and execute its objectives with precision.

Targets

Information

Individuals

How they operate

The malware typically enters the target environment through a phishing campaign or by exploiting public-facing applications. One of the primary entry vectors for SpyGlace involves weaponized document files, such as those using Microsoft Office or WPS Office applications. These documents often contain malicious macros or links to remote payloads, relying on user interaction to execute them. Once the victim opens the file and triggers the macro or malicious link, SpyGlace is able to download and run its payload on the compromised system. At this stage, the malware can also exploit existing vulnerabilities in applications (e.g., CVE-2024-7262) to escalate privileges, enabling it to execute more intrusive commands.

Upon execution, SpyGlace often employs a combination of fileless techniques and obfuscation to avoid detection by traditional antivirus and endpoint protection tools. Using PowerShell or Windows Management Instrumentation (WMI), the malware runs its payload in memory, minimizing the need for file writes that would trigger alarms in conventional security software. To further evade detection, SpyGlace obfuscates its code, encoding payloads and commands to make its activities harder to identify. This is typically achieved through a variety of techniques like dynamic analysis evasion, encryption, and packing, which help the malware blend seamlessly with legitimate system activities.

In terms of persistence, SpyGlace ensures that it remains operational even after system reboots or user logins. The malware achieves this by installing itself in the system’s registry or scheduling malicious tasks that execute automatically when the system restarts. These methods ensure that SpyGlace can continue to function, even if the victim tries to remove it manually or if the system undergoes regular maintenance. It can also establish reverse connections to its Command and Control (C2) servers, where attackers can issue additional commands or exfiltrate stolen data. These persistent backdoors also provide the attackers with an ongoing foothold in the network, allowing them to escalate their control and further exploit the system.

As SpyGlace operates within the compromised environment, it performs a series of reconnaissance activities. This involves gathering system and network information, such as device names, operating systems, user credentials, and even network configurations. Using tools like credential dumpers, SpyGlace attempts to collect sensitive login data, which it may use to spread laterally across the network, compromising additional machines. By conducting these discovery operations, the malware builds a comprehensive picture of the system or network, targeting high-value assets and data repositories.

The ultimate goal of SpyGlace is to exfiltrate critical data back to the attackers. The malware typically gathers sensitive documents, emails, and other valuable information, storing them temporarily before transmission. To avoid detection during this process, SpyGlace may encrypt the data or use a covert communication channel to transmit it back to its C2 servers. The use of standard HTTP/S protocols or common ports helps the malware blend in with legitimate network traffic, further evading detection by firewalls or intrusion detection systems.

MITRE Tactics and Techniques

Initial Access

SpyGlace is often delivered through weaponized document files, exploiting vulnerabilities in office suites like WPS Office. This corresponds to the Phishing (T1566) and Exploitation of Public-Facing Application (T1190) tactics. Additionally, the CVE-2024-7262 vulnerability exploited by SpyGlace falls under the Exploitation for Privilege Escalation tactic (T1203).

Execution

Once inside the system, SpyGlace executes payloads and commands to maintain persistence and run its malicious processes. This involves the use of Malicious Script (T1059), where the malware may invoke scripts to execute its code and further compromise the target machine.

Persistence

SpyGlace likely establishes persistence mechanisms to maintain access over time, such as Registry Run Keys/Startup Folder (T1547) or Scheduled Task/Job (T1053) to ensure that its payload is executed automatically after system reboots or user logins.

Privilege Escalation

SpyGlace may use techniques like Exploitation for Privilege Escalation (T1068) to gain higher levels of access on the compromised system. This tactic ensures the malware can carry out its espionage activities with greater control over the target environment.

Defense Evasion

SpyGlace uses various evasion techniques to avoid detection by security software, such as Obfuscated Files or Information (T1027) or Fileless Malware (T1055) methods, allowing it to hide its presence by operating in memory or obfuscating its malicious code to evade signature-based detection mechanisms.

Credential Access

SpyGlace may attempt to harvest credentials from the compromised system using Credential Dumping (T1003), which involves extracting account credentials from memory, databases, or other sources to further infiltrate the network or access sensitive resources.

Discovery

The malware likely performs System Information Discovery (T1082) and Network Service Scanning (T1046) to map out the compromised system or network, identifying valuable targets for further exploitation.

Collection

SpyGlace’s goal is to exfiltrate sensitive data, such as documents, emails, and other intelligence of interest. This aligns with the Data from Information Repositories (T1213) and Data Staged (T1074) tactics, as the malware may gather and store data before exfiltrating it to a command-and-control (C2) server.

Exfiltration

SpyGlace performs Exfiltration Over Command and Control Channel (T1041) to send the collected intelligence back to its operators. The use of encrypted channels or covert techniques to transmit data helps maintain stealth during the exfiltration process.

Impact

While SpyGlace may not be explicitly destructive, it can compromise critical data, conduct espionage, and potentially impact national security interests. This corresponds to the Impact tactic (T1489), which involves compromising the integrity or confidentiality of data.

References:

• Analysis of two arbitrary code execution vulnerabilities affecting WPS Office