A new and previously unidentified threat actor has been linked to a series of attacks targeting Azerbaijan and Israel, with the goal of stealing sensitive information.
This attack campaign, discovered by NSFOCUS on July 1, 2024, employed spear-phishing emails to specifically target diplomats from Azerbaijan and Israel. The activity is being monitored under the codename Actor240524.
“Actor240524 has demonstrated the capability to steal confidential information and alter file data, utilizing various countermeasures to minimize the exposure of its attack methodologies,” the cybersecurity firm noted in an analysis released last week.
The attack process begins with phishing emails containing Microsoft Word documents. When these documents are opened, they prompt the recipients to “Enable Content” and execute a malicious macro that launches an intermediate loader payload named ABCloader (“MicrosoftWordUpdater.log”).
Subsequently, ABCloader functions as a bridge to decrypt and load a DLL malware named ABCsync (“synchronize.dll”), which then communicates with a remote server (“185.23.253[.]143”) to receive and execute commands.
According to NSFOCUS, “The primary role of ABCsync is to assess the operating environment, decrypt the program, and load the next DLL (ABCsync).” The malware also employs various anti-sandbox and anti-analysis techniques to detect its operating environment.
Key functions of ABCsync include executing remote shells, issuing commands through cmd.exe, and extracting system information and other data.
Both ABCloader and ABCsync have been observed using techniques like string encryption to obscure critical file paths, names, keys, error messages, and command-and-control (C2) addresses. They also perform multiple checks to determine if their processes are being debugged or run in a virtual machine or sandbox by verifying display resolution.
Another significant tactic used by Actor240524 is to check if the number of processes running on the infected system is below 200, and if so, it terminates the malicious process.
ABCloader is also programmed to deploy a similar loader named “synchronize.exe” along with a DLL file called “vcruntime190.dll” or “vcruntime220.dll,” which are capable of establishing persistence on the host.
NSFOCUS observed that “Azerbaijan and Israel are allied nations with strong economic and political ties.” The operation by Actor240524 is likely focused on disrupting the cooperative relationship between these two countries, targeting phishing attacks against diplomatic staff from both nations.