A beforehand unknown risk actor has been attributed to a spate of assaults focusing on Azerbaijan and Israel with an intention to steal delicate information.
The assault marketing campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The exercise is being tracked beneath the moniker Actor240524.
“Actor240524 possesses the power to steal secrets and techniques and modify file information, utilizing quite a lot of countermeasures to keep away from overexposure of assault ways and methods,” the cybersecurity firm stated in an evaluation printed final week.
The assault chains start with the usage of phishing emails bearing Microsoft Phrase paperwork that, upon opening, urge the recipients to “Allow Content material” and run a malicious macro accountable for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).
Within the subsequent step, ABCloader acts as a conduit to decrypt and cargo a DLL malware known as ABCsync (“synchronize.dll”), which then establishes contact with a distant server (“185.23.253[.]143”) to obtain and run instructions.
“Its most important perform is to find out the operating surroundings, decrypt this system, and cargo the following DLL (ABCsync),” NSFOCUS stated. “It then performs varied anti-sandbox and anti-analysis methods for environmental detection.”
Among the outstanding features of ABCsync are to execute distant shells, run instructions utilizing cmd.exe, and exfiltrate system data and different information.
Each ABCloader and ABCsync have been noticed using methods like string encryption to cloak essential file paths, file names, keys, error messages, and command-and-control (C2) addresses. Additionally they perform a number of checks to find out if the processes are being debugged or executed in a digital machine or sandbox by validating the show decision.
One other essential step taken by Actor240524 is that it inspects if the variety of processes operating within the compromised system is lower than 200, and if that’s the case, it exits the malicious course of.
ABCloader can be designed to launch an analogous loader known as “synchronize.exe” and a DLL file named “vcruntime190.dll” or “vcruntime220.dll,” that are able to establishing persistence on the host.
“Azerbaijan and Israel are allied international locations with shut financial and political exchanges,” NSFOCUS stated. “Actor240524’s operation this time is probably going aimed on the cooperative relationship between the 2 international locations, focusing on phishing assaults on diplomatic personnel of each international locations.”
