APT-C-60 Hackers Target Japanese Organization with SpyGlace Malware Campaign
On November 27, 2024, cybersecurity experts at JPCERT/CC reported a sophisticated cyber attack tied to the APT-C-60 hacker group, which has gained notoriety for its ties to South Korean cyber espionage activities. This recent intrusion specifically targeted an unnamed organization based in Japan, utilizing a job application pretense to disseminate the SpyGlace backdoor—a type of malware designed to facilitate unauthorized access and data exfiltration.
The attack, which was executed in August 2024, involved the deployment of a phishing email that appeared to originate from a prospective employee. This email was sent directly to the organization’s recruiting contact, effectively compromising the individual and granting the attackers foothold within the organization. Notably, the operation leveraged legitimate platforms, including Google Drive, Bitbucket, and StatCounter, to host malicious files and obscure the attack’s origins, illustrating a common tactic among modern cybercriminals to exploit trusted services for nefarious purposes.
In a striking technical move, the APT-C-60 group employed a remote code execution vulnerability found in WPS Office for Windows (identified as CVE-2024-7262). By exploiting this flaw, the attackers were able to deploy the custom backdoor SpyGlace, further enhancing their capability to manipulate the organization’s network with stealth. The incident underscores operational tactics typical of advanced persistent threats (APTs), which often focus on prolonged intrusions aimed at intelligence gathering.
Considering the adversary tactics likely employed in this attack, it is essential to reference the MITRE ATT&CK Framework, which provides a comprehensive catalog of known tactics and techniques used by cyber adversaries. Initial access appears to be achieved through the social engineering aspect of the phishing email, allowing the hackers to infiltrate the organization’s defenses. Once inside, techniques for persistence would likely be employed to establish a long-term presence in the compromised system, ensuring that the attackers could maintain access over time.
Privilege escalation techniques could also have been relevant, as gaining elevated access might enable the attackers to bypass administrative security controls and expand their reach within the organization’s network. This leads to concerns not only for data integrity but also for the potential operational impact on the targeted organization.
As businesses increasingly rely on digital solutions for recruitment and operations, this incident serves as a stark reminder of the vulnerabilities inherent in such practices. Organizations must remain vigilant and adopt robust cybersecurity measures to mitigate the risks posed by similar cyber intrusions. The incident exemplifies the evolving landscape of cyber threats and highlights the necessity for ongoing education and preparedness in the face of sophisticated attack methodologies.
