A previously unknown threat actor was attributed to a series of attacks on Azerbaijan and Israel to steal sensitive data.
The attack campaign, discovered by NSFOCUS on July 1, 2024, used phishing emails to target Azerbaijani and Israeli diplomats. Activity is tracked under a pseudonym Actor 240524.
“Actor240524 has the ability to steal secrets and modify file data using various countermeasures to avoid over-disclosure of attack tactics and methods,” the cybersecurity company said. said in an analysis published last week.
Attack chains begin by using phishing emails containing Microsoft Word documents that, when opened, prompt recipients to “Enable content” and run a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader (“MicrosoftWordUpdater.log”).
In the next step, ABCloader acts as a conduit to decrypt and download a malicious DLL called ABCsync (“synchronize.dll”), which then communicates with a remote server (“185.23.253(.)143”) to receive and execute a command.
“Its primary function is to detect the running environment, decode the program, and load the next DLL (ABCsync),” NSFOCUS said. “It then performs various anti-sandboxing and anti-analysis techniques to detect the environment.”
Some of the prominent features of ABCsync are executing remote shells, executing commands using cmd.exe, and extracting system information and other data.
ABCloader and ABCsync were observed to use techniques such as string encryption to mask important file paths, file names, keys, error messages, and command and control addresses (C2). They also perform several checks to determine if processes are being debugged or running in a virtual machine or sandbox by checking the display resolution.
Another important step taken by Actor240524 is that it checks if there are less than 200 running processes in the compromised system and if so, it exits the malicious process.
ABCloader is also designed to run a similar loader called “synchronize.exe” and a DLL called “vcruntime190.dll” or “vcruntime220.dll” that are capable of configuring persistence on the host.
“Azerbaijan and Israel are allied countries with close economic and political exchanges,” NSFOCUS said. “Operation Actor240524 this time likely targets the cooperative relationship between the two countries, targeting phishing attacks on diplomatic personnel of both countries.”
