Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,199
- Points
- 113
Italy's TG Soft reveals China-related APT17 attacks targeting national companies and government agencies using 9002 RAT malware.
Two targeted attacks occurred on June 24 and July 2, 2024. The first one included an Office document, while the second one contained a malicious link.
In both cases, the victim was prompted to install the Skype for Business package via a domain link similar to the one used by the Italian government to deliver 9002 RAT.
APT17 was first documented by Mandiant (then FireEye) in 2013 as part of a cyber espionage operation called DeputyDog and Ephemeral Hydra that relied on 0-day in Microsoft's Internet Explorer to crack targets.
The actor is also known as Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, and is somewhat similar in tools to another attacker called Webworm.
9002 RAT, also known as Hydraq and McRAT, became known as a favorite cyber weapon during Operation Aurora, conducted against Google and other large companies in 2009.
Subsequently, RAT was also used in another 2013 campaign called Sunshop, during which attackers introduced malicious redirects to several sites.
Recent attacks include the use of phishing traps to trick recipients into clicking on a link that encourages them to download the Skype for Business MSI installer (SkypeMeeting. msi).
Running the MSI package executes a Java archive (JAR) file via Visual Basic Script (VBS), while installing legitimate software on a Windows system.
The Java application, in turn, decrypts and executes the shellcode responsible for running 9002 RAT.
The 9002 RAT module trojan has the functions of monitoring network traffic, taking screenshots, scanning files, managing processes, and running additional commands received from C2, etc.
It seems that the malware is constantly updated with diskless variants, TG Soft believes.
It consists of various modules that are activated as needed by the cybercriminal to reduce the likelihood of interception.
Two targeted attacks occurred on June 24 and July 2, 2024. The first one included an Office document, while the second one contained a malicious link.
In both cases, the victim was prompted to install the Skype for Business package via a domain link similar to the one used by the Italian government to deliver 9002 RAT.
APT17 was first documented by Mandiant (then FireEye) in 2013 as part of a cyber espionage operation called DeputyDog and Ephemeral Hydra that relied on 0-day in Microsoft's Internet Explorer to crack targets.
The actor is also known as Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, and is somewhat similar in tools to another attacker called Webworm.
9002 RAT, also known as Hydraq and McRAT, became known as a favorite cyber weapon during Operation Aurora, conducted against Google and other large companies in 2009.
Subsequently, RAT was also used in another 2013 campaign called Sunshop, during which attackers introduced malicious redirects to several sites.
Recent attacks include the use of phishing traps to trick recipients into clicking on a link that encourages them to download the Skype for Business MSI installer (SkypeMeeting. msi).
Running the MSI package executes a Java archive (JAR) file via Visual Basic Script (VBS), while installing legitimate software on a Windows system.
The Java application, in turn, decrypts and executes the shellcode responsible for running 9002 RAT.
The 9002 RAT module trojan has the functions of monitoring network traffic, taking screenshots, scanning files, managing processes, and running additional commands received from C2, etc.
It seems that the malware is constantly updated with diskless variants, TG Soft believes.
It consists of various modules that are activated as needed by the cybercriminal to reduce the likelihood of interception.
