Analysis Report on Recent Phishing Attacks by APT-C-48 (CNC)

This week in Defender’s Insight, we turn our focus to the stealthy operations of APT-C-48, also known as CNC, a South Asian government-linked threat actor. APT-C-48 (CNC) is an advanced persistent threat (APT) group with ties to a South Asian government. Their main targets include government, military, education, research, healthcare, and media industries.

Recently, 360 Security Center uncovered a surge of phishing emails disguised as job-related correspondence. These spear-phishing emails carried malicious payloads disguised as PDF files, leveraging social engineering and advanced obfuscation tactics to compromise unsuspecting users.

1. Attack Process

APT-C-48's attack starts with a phishing email designed to trick users into opening a compressed file attachment. These attachments contained executable files with modified PDF-like icons and filenames padded with blank characters to hide the true extension.

Once executed, the malicious file downloads and opens a fake PDF document to deceive the user while launching the malware components in the background.

2. Detailed Analysis

2.1 Sample Analysis

The phishing email attachments carried malicious executable files modified to resemble PDF documents.

These samples dynamically decrypted key strings using the ChaCha20 algorithm to evade static detection by antivirus software.

Once the malicious file is executed, it:

1. Dynamically obtains API addresses and decrypts related strings.
2. Downloads a fake PDF document and other attack components.

The downloaded fake document is opened using a command prompt to reduce suspicion.

2.2 Anti-Debugging and Anti-Virtual Machine Tactics

The malware uses anti-debugging measures by traversing the process list and querying registry keys to detect virtual machines.

Process list traversal for anti-debugging

If the malware detects a debugging environment or virtual machine, it deletes itself to avoid further analysis.

Self-deletion mechanism

2.3 Persistence Mechanism

The malware uses COM components to create scheduled tasks, ensuring the continued execution of its payloads.

Creating a scheduled task using COM components

These tasks are set to execute every 10 minutes, downloading subsequent attack components as needed.

3. Attribution and Origin Analysis

APT-C-48 has a long history of using spear-phishing emails related to "resumes" and "recruitment" to lure victims. Their latest campaign reflects consistent tactics while leveraging advanced obfuscation to bypass security measures.

Combined with their targeting of education and research sectors, these indicators strongly suggest the involvement of APT-C-48.

Prevention and Investigation Suggestions

To defend against this attack, we recommend the following measures:

Email Scanning:

• Look for emails with “resume” in the subject line and compressed attachments.
• Avoid opening unverified attachments.

File Extensions:

• Enable the display of hidden files and extensions to spot malicious executables.
• Scheduled Task Monitoring:
• Investigate and delete suspicious tasks created by COM components.

Threat Intelligence:

• Monitor IoCs such as file hashes and malicious URLs.

Appendix: Indicators of Compromise (IoCs)

Hashes:

• e74d7351a73c0343c2b607c8f137f847
• 974f51eb0ea821434504cb22c36fbfab
• ef98ed09bedea8daef9d09ec62ffe9cc

Malicious Domains and URLs:

• https://panbaiclu[.]com/Guide/Architecture.pdf
• https://panbaiclu[.]com/Guide/structure
• https://panbaiclu[.]com/Metadata/indexes
• https://panbaiclu[.]com/APIs/BaiduSearchAPI
• panbaiclu[.]com - 158.255.215[.]248

Final Thoughts: Caution and Advice to Organizations

APT-C-48’s recent phishing attacks underline the growing sophistication of threat actors in leveraging social engineering and technical obfuscation. This campaign highlights how adversaries exploit common themes like job applications to lure victims, using seemingly innocuous files to bypass traditional defenses.

To counter such threats, organizations must prioritize a proactive and layered cybersecurity strategy:

1. Educate Employees: Regularly train employees to identify phishing attempts, especially emails with themes like resumes, recruitment, or attachments requesting urgent attention.
2. Deploy Advanced Threat Detection: Utilize solutions capable of dynamic analysis and behavior-based detection to identify obfuscated malware, even when disguised as legitimate files.
3. Monitor Indicators of Compromise (IoCs): Stay updated with threat intelligence feeds to identify and block malicious domains, hashes, and other indicators tied to active campaigns.
4. Implement Stringent Email Security Protocols: Enable email filters and sandboxing to quarantine suspicious attachments. Adopt DMARC, DKIM, and SPF to reduce spoofed emails.
5. Harden Endpoint Defenses: Enforce application whitelisting, disable unnecessary scripting environments, and ensure devices are up to date with security patches.

By fostering a culture of security awareness and leveraging robust technical defenses, organizations can reduce the risk of falling victim to such sophisticated threats.

Stay aware, stay prepared, and keep defending!

DeCyberGuardian