A beforehand unknown menace actor has been attributed to a spate of assaults concentrating on Azerbaijan and Israel with an goal to steal delicate knowledge.
The assault marketing campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The exercise is being tracked beneath the moniker Actor240524.
“Actor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to avoid overexposure of attack tactics and techniques,” the cybersecurity firm stated in an evaluation revealed final week.
The assault chains start with the usage of phishing emails bearing Microsoft Phrase paperwork that, upon opening, urge the recipients to “Allow Content material” and run a malicious macro chargeable for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).
Within the subsequent step, ABCloader acts as a conduit to decrypt and cargo a DLL malware known as ABCsync (“synchronize.dll”), which then establishes contact with a distant server (“185.23.253[.]143”) to obtain and run instructions.
“Its main function is to determine the running environment, decrypt the program, and load the subsequent DLL (ABCsync),” NSFOCUS stated. “It then performs various anti-sandbox and anti-analysis techniques for environmental detection.”
A number of the outstanding features of ABCsync are to execute distant shells, run instructions utilizing cmd.exe, and exfiltrate system info and different knowledge.
Each ABCloader and ABCsync have been noticed using strategies like string encryption to cloak vital file paths, file names, keys, error messages, and command-and-control (C2) addresses. In addition they perform a number of checks to find out if the processes are being debugged or executed in a digital machine or sandbox by validating the show decision.
One other essential step taken by Actor240524 is that it inspects if the variety of processes operating within the compromised system is lower than 200, and in that case, it exits the malicious course of.
ABCloader can also be designed to launch the same loader known as “synchronize.exe” and a DLL file named “vcruntime190.dll” or “vcruntime220.dll,” that are able to establishing persistence on the host.
“Azerbaijan and Israel are allied countries with close economic and political exchanges,” NSFOCUS stated. “Actor240524’s operation this time is likely aimed at the cooperative relationship between the two countries, targeting phishing attacks on diplomatic personnel of both countries.”
