APT-C-60: Observing the hunter
APT-C-60, also known as 伪猎者 (translation: False hunter) or APT-Q-12, is an East Asian cyberespionage group active since at least 2018, and initially reported by Qihoo 360 in 2021. It mainly focuses on high-profile targets such as governments, trade industries, and think tanks in Asian countries such as China and South Korea. We’ve been monitoring APT-C-60 for over a year and the group keeps adapting its toolset to deliver its fully featured backdoor, which we have dubbed SpyGlace.
In this presentation, we describe how the various components of their attack chain evolved and the combination of techniques used to stay under the radar while achieving code execution and persistence on compromised systems. We detail the various features of the SpyGlace backdoor and, more importantly, present undocumented modules such as a keylogger and a credential stealer. During our investigation we noticed a handful of metadata the operators left behind, which allowed us to obtain further information on the operators’ profile and their modus operandi. We also show how we decrypted logs found on their C&C server, unveiling useful details on their environment.
Finally, we demonstrate how forensic analysis with file carving on VHD (Virtual Hard Disk) files helped us recover deleted files and gain yet further insights into the threat actor’s testing processes. The presentation builds on that collection of artifacts to create strong links between APT-C-60 and the group’s evolving malicious components.
Mr. Romain Dumont
Romain DUMONT is a malware researcher working for ESET. His work involves malware analysis and threat hunting.
He likes a good reversing engineering challenge and has previously worked on vulnerability assessment with a focus on Windows components.