Campaigns
Campaign SpyGlace: APT-C-60’s Stealthy Zero-Day Offensive Targeting East Asia’s Cyber Ecosystem

Campaign SpyGlace: APT-C-60’s Stealthy Zero-Day Offensive Targeting East Asia’s Cyber Ecosystem

WPS Office VulnerabilityState-Sponsored AttackZero-Day ExploitAPT-C-60
APT-C-60 is using zero-day exploits in WPS Office to infiltrate East Asian networks. This stealthy campaign deploys the SpyGlace backdoor, compromising sensitive data and maintaining long-term access to targeted systems.

Indicators of Compromise

rammenale.com

APT Groups1

APT-C-60

<p><b>Summary of Actor</b>:APT-C-60 is a Chinese state-sponsored threat actor known for its cyber espionage operations. This group primarily targets government and industry sectors to gather intelligence and gain strategic advantages for China. They have a history of conducting prolonged campaigns involving sophisticated techniques.</p><p><b>General Features</b>:APT-C-60 is characterized by its persistence, advanced skills, and use of zero-day vulnerabilities. The group's activities often align with China's geopolitical interests and strategic objectives.</p><p><b>Related Other Groups</b>: APT41,APT10,Deep Panda</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of spear-phishing emails</li><li>Credential dumping</li><li>Custom malware deployment</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: APT-C-60 recently conducted a campaign targeting the defense sector in the United States, utilizing spear-phishing emails with malicious attachments. The group also launched attacks on critical infrastructure in Japan, leveraging vulnerabilities in network devices.</li><li><b>Emerging Trends </b>: The group has been observed using more sophisticated evasion techniques, such as advanced obfuscation and encryption methods, to avoid detection. Additionally, there's been a shift towards targeting supply chains to indirectly compromise their primary targets.</li></ul></p>

APT-Q-12APT-C-60

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION
T1203 - Exploitation for Client Execution

ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

DS0009

Process

Process Creation

Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for other behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser or Office processes.

Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes.

Note:- Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations- Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters

Analytic 1 - Office Application Process Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*"

Analytic 2 - Unusual Child Process Creation

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage= "\winword.exe" OR ParentImage= "\excel.exe" OR ParentImage= "\powerpnt.exe") AND (Image != "\system32\" OR Image != "*\program files")



T1566.001 - Phishing: Spearphishing Attachment


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[257]

DS0022

File

File Creation

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.



T1059.001 - Command and Scripting Interpreter: PowerShell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [273] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[274] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

DS0011

Module

Module Load

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

Analytic 1 - Processes loading PowerShell assemblies

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" | where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%"

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Observed Countries16

BN (260)
CN (855)
HK (951)
ID (483)
JP (913)
KH (302)
KR (764)
MM (991)
MN (509)
MY (519)
PG (390)
PH (578)
SG (532)
TH (864)
TL (933)
VN (949)