Hackers Weaponize Google Drive Links to Breach Corporate Networks


A sophisticated attack campaign targeting organizations in Japan and other East Asian countries. The threat actor, identified as APT-C-60, is employing a clever social engineering tactic that exploits job application processes to infiltrate corporate networks and deploy malware.

The attack, first detected in August 2024, began with a phishing email disguised as a job application sent to an organization’s recruitment contact.

The email contains a seemingly innocuous Google Drive link, which, when clicked, initiates a complex infection chain.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Upon accessing the link, victims unknowingly download a VHDX file, a virtual disk format that contains malicious components alongside decoy documents.

Initial Attack Chain
Initial Attack Chain

According to JPCERT/CC advisory, the file includes a Windows shortcut (LNK) that, when executed, triggers the deployment of a downloader dubbed “SecureBootUEFI.dat”.

Sophisticated Techniques Employed

This downloader employs a sophisticated technique to identify infected devices. It leverages StatCounter, a legitimate web analytics tool, to transmit unique device identifiers encoded in HTTP referrer fields.

This allows the attackers to track and manage compromised systems effectively. The infection chain continues as the downloader connects to Bitbucket, a popular code hosting platform, to retrieve additional malicious payloads.

These include “Service.dat,” which in turn downloads and executes two more components: “cn.dat” and “sp.dat”. The final stage of the attack involves the deployment of a backdoor called SpyGrace.

This malware, currently at version 3.1.6, establishes communication with a command-and-control server, enabling attackers to steal files, load plugins, and execute arbitrary commands on infected systems.

To ensure persistence, the malware employs COM hijacking techniques, a method that abuses legitimate Windows functionality to maintain a foothold on compromised devices.

What makes this campaign particularly insidious is its abuse of trusted platforms and services.

By leveraging Google Drive, Bitbucket, and StatCounter, the attackers can often bypass traditional security measures that might otherwise detect malicious activity.

The campaign appears to be part of a broader effort targeting East Asian countries, including Japan, South Korea, and China.

Communication

Security researchers have observed similar attacks between August and September 2024, all sharing common characteristics such as the abuse of legitimate services and sophisticated persistence mechanisms.

Organizations, particularly those in the targeted regions, are urged to exercise caution when handling unsolicited job applications or unexpected links, even from seemingly trustworthy sources.

IT security teams should implement advanced threat detection mechanisms capable of identifying suspicious activities, even when they originate from legitimate services.

As this attack demonstrates, cybercriminals are continuously evolving their tactics, exploiting the trust placed in well-known platforms and services.

The discovery of this campaign highlights the ongoing cat-and-mouse game between attackers and defenders in the digital realm.

As threat actors like APT-C-60 refine their techniques, organizations must adapt their security postures accordingly to protect sensitive data and maintain the integrity of their networks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link