August 15, 2024Ravie LakshmananCyber ​​espionage / Data theft

An as-yet-unknown threat actor is believed to be responsible for a series of attacks on Azerbaijan and Israel aimed at stealing sensitive data.

The attack campaign, discovered by NSFOCUS on July 1, 2024, used spear-phishing emails to target Azerbaijani and Israeli diplomats. The activity is being tracked under the name Actor240524.

“Actor240524 can steal secrets and modify file data, using a variety of countermeasures to prevent overexposure of attack tactics and techniques,” the cybersecurity firm said in an analysis published last week.

The attack chains start by using phishing emails containing Microsoft Word documents. Upon opening the emails, the recipient is asked to enable the content and execute a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).

In the next step, ABCloader acts as a conduit to decode and load a DLL malware called ABCsync (“synchronize.dll”). This DLL then contacts a remote server (“185.23.253(.)143”) to receive and execute commands.

“Its main function is to determine the active environment, decode the program, and load the subsequent DLL (ABCsync),” NSFOCUS said. “It then performs various anti-sandbox and anti-analysis techniques for environment detection.”

Some of the important features of ABCsync are running remote shells, executing commands using cmd.exe, and exfiltrating system data and other data.

Both ABCloader and ABCsync have been observed using techniques such as string encryption to hide important file paths, file names, keys, error messages, and command-and-control (C2) addresses. They also perform various checks to determine whether the processes are debugged or running in a virtual machine or sandbox by validating the screen resolution.

Another important step that Actor240524 takes is that it checks if the number of processes running on the compromised system is less than 200. If that is the case, it quits the malicious process.

ABCloader is also designed to launch a similar loader named “synchronize.exe” and a DLL file named “vcruntime190.dll” or “vcruntime220.dll”, which can establish persistence on the host.

“Azerbaijan and Israel are allies with close economic and political exchanges,” NSFOCUS said. “Actor240524’s operation this time likely targets the cooperative relationship between the two countries, targeting phishing attacks on diplomatic personnel from both countries.”