A previously unknown threat actor has been attributed to a spate of attacks targeting Azerbaijan and Israel with an aim to steal sensitive data.
The attack campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The activity is being tracked under the moniker Actor240524.
“Actor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to avoid overexposure of attack tactics and techniques,” the cybersecurity company said in an analysis published last week.
The attack chains commence with the use of phishing emails bearing Microsoft Word documents that, upon opening, urge the recipients to “Enable Content” and run a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).
In the next step, ABCloader acts as a conduit to decrypt and load a DLL malware called ABCsync (“synchronize.dll”), which then establishes contact with a remote server (“185.23.253[.]143”) to receive and run commands.
“Its main function is to determine the running environment, decrypt the program, and load the subsequent DLL (ABCsync),” NSFOCUS said. “It then performs various anti-sandbox and anti-analysis techniques for environmental detection.”
Some of the prominent functions of ABCsync are to execute remote shells, run commands using cmd.exe, and exfiltrate system information and other data.
Both ABCloader and ABCsync have been observed employing techniques like string encryption to cloak important file paths, file names, keys, error messages, and command-and-control (C2) addresses. They also carry out several checks to determine if the processes are being debugged or executed in a virtual machine or sandbox by validating the display resolution.
Another crucial step taken by Actor240524 is that it inspects if the number of processes running in the compromised system is less than 200, and if so, it exits the malicious process.
ABCloader is also designed to launch a similar loader called “synchronize.exe” and a DLL file named “vcruntime190.dll” or “vcruntime220.dll,” which are capable of setting up persistence on the host.
“Azerbaijan and Israel are allied countries with close economic and political exchanges,” NSFOCUS said. “Actor240524’s operation this time is likely aimed at the cooperative relationship between the two countries, targeting phishing attacks on diplomatic personnel of both countries.”