A beforehand unknown risk actor has been attributed to a spate of assaults concentrating on Azerbaijan and Israel with an intention to steal delicate knowledge.
The assault marketing campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The exercise is being tracked below the moniker Actor240524.
“Actor240524 possesses the flexibility to steal secrets and techniques and modify file knowledge, utilizing a wide range of countermeasures to keep away from overexposure of assault ways and methods,” the cybersecurity firm mentioned in an evaluation revealed final week.
The assault chains begin with the usage of phishing emails bearing Microsoft Phrase paperwork that, upon opening, urge the recipients to “Allow Content material” and run a malicious macro chargeable for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).
Within the subsequent step, ABCloader acts as a conduit to decrypt and cargo a DLL malware known as ABCsync (“synchronize.dll”), which then establishes contact with a distant server (“185.23.253[.]143”) to obtain and run instructions.
“Its most important operate is to find out the working surroundings, decrypt this system, and cargo the following DLL (ABCsync),” NSFOCUS mentioned. “It then performs numerous anti-sandbox and anti-analysis methods for environmental detection.”
A number of the distinguished features of ABCsync are to execute distant shells, run instructions utilizing cmd.exe, and exfiltrate system info and different knowledge.
Each ABCloader and ABCsync have been noticed using methods like string encryption to cloak vital file paths, file names, keys, error messages, and command-and-control (C2) addresses. Additionally they perform a number of checks to find out if the processes are being debugged or executed in a digital machine or sandbox by validating the show decision.
One other essential step taken by Actor240524 is that it inspects if the variety of processes working within the compromised system is lower than 200, and if that’s the case, it exits the malicious course of.
ABCloader can be designed to launch an analogous loader known as “synchronize.exe” and a DLL file named “vcruntime190.dll” or “vcruntime220.dll,” that are able to establishing persistence on the host.
“Azerbaijan and Israel are allied international locations with shut financial and political exchanges,” NSFOCUS mentioned. “Actor240524’s operation this time is probably going aimed on the cooperative relationship between the 2 international locations, concentrating on phishing assaults on diplomatic personnel of each international locations.”
