Analysis report on recent phishing attacks by APT-C-48 (CNC)

Dec. 3, 2024, 4:51 p.m.

Description

APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF files and adds spaces to filenames to hide extensions. Upon execution, the malware downloads a decoy document and additional attack components. The sample employs anti-debugging and anti-VM techniques, self-deletion mechanisms, and establishes persistence through scheduled tasks. The attack pattern and tactics are consistent with previous APT-C-48 activities, particularly their focus on the education and research sectors.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247504896&idx=1&sn=42097a09cd3420fd7168ba1afc84939e&chksm=f9c1e709ceb66e1fd732a72853e48466ae332109a6200a58c1ddab56e1c7d90b902cbbd64027&scene=178&cur_album_id=1955835290309230595#rd
https://otx.alienvault.com/pulse/674f320e0b9b2ccf9b494112
Tags
spear-phishing
anti-vm
2024-12-03
anti-debugging
apt-c-48

Date

  • Created: Dec. 3, 2024, 4:30 p.m.
  • Published: Dec. 3, 2024, 4:30 p.m.
  • Modified: Dec. 3, 2024, 4:51 p.m.

Indicators

  • https://panbaiclu.com/Metadata/indexes
  • https://panbaiclu.com/Guide/Architecture.pdf
  • https://panbaiclu.com/Guide/structure
  • https://panbaiclu.com/APIs/BaiduSearchAPI
  • panbaiclu.com
Download all indicators here!

Attack Patterns

  • APT-C-48 (CNC)
  • T1036.002
  • T1497.003
  • T1053.005
  • T1027.002
  • T1497.001
  • T1059.003
  • T1012
  • T1070.004
  • T1204.002
  • T1082
  • T1057
  • T1105
  • T1566.001
  • T1083
  • T1078

Additional Informations

  • Healthcare
  • Media
  • Defense
  • Education
  • Government