DEV Community

NetSecOpsIO
NetSecOpsIO

Posted on • Originally published at cyber.netsecops.io

APT-C-60 Abuses GitHub, Proton Drive to Deliver SpyGlace

Originally published on CyberNetSec.

Executive Summary

The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a report on an ongoing cyber-espionage campaign by the threat group APT-C-60. The campaign targets unspecified organizations in Japan with the SpyGlace malware. A key feature of the group's updated tactics is the extensive abuse of legitimate, trusted online services for command and control (C2) and payload delivery. The attackers leverage Proton Drive, jsDelivr, GitHub, GitLab, and Codeberg to host malicious files and blend their C2 traffic, making detection significantly more challenging for network defenders.


Threat Overview

APT-C-60 is a persistent threat actor focused on espionage against Japanese entities. This campaign demonstrates the group's evolution, adopting techniques to bypass network security controls by 'living off the trusted service.'

  • Threat Actor: APT-C-60.
  • Target: Organizations in Japan.
  • Malware: SpyGlace (versions v3.1.15, v3.1.17, v3.1.18 identified).
  • Primary Tactic: Abusing legitimate cloud and developer platforms for payload staging and C2, a technique often called Domain Fronting or using legitimate services as a content delivery network.

Technical Analysis

The attack follows a multi-stage infection chain designed for stealth:

  1. Initial Access: The campaign begins with a spear-phishing email. The email either contains a link to a malicious file hosted on Proton Drive or has a malicious RAR archive attached.
  2. Execution: Inside the archive is a .LNK shortcut file. When the user clicks the LNK file, it executes mshta.exe to run embedded JavaScript code.
  3. Staging: The mshta.exe script fetches the next stage from jsDelivr, a popular content delivery network for open-source projects. This makes the download appear as legitimate web traffic.
  4. Payload Assembly: The malware then uses a legitimate git.exe binary, likely bundled with the malware, to connect to repositories on GitHub, GitLab, or Codeberg. It pulls down various components and assembles the final downloader and payload on the victim's machine.
  5. Final Payload: The ultimate goal is to execute the SpyGlace malware, a backdoor used for espionage and data theft.

This chain of using trusted services (Proton Drive -> jsDelivr -> GitHub) makes each step of the infection process difficult to block without impacting legitimate business operations.

MITRE ATT&CK Mapping

Impact Assessment

A successful compromise with SpyGlace malware can lead to long-term espionage. The attackers can gain persistent access to the victim's network, allowing them to:

  • Exfiltrate sensitive corporate data, intellectual property, and government documents.
  • Monitor internal communications.
  • Pivot to other systems within the network.
  • Deploy additional malicious tools.

The abuse of trusted services makes attribution and remediation more complex, as blocking the domains involved (e.g., github.com) is often not feasible for organizations that rely on them for development.

IOCs — Directly from Articles

JPCERT/CC has published IOCs, but they were not detailed in the source articles. These would include C2 domains, file hashes, and attacker-controlled repository URLs.

Cyber Observables — Hunting Hints

Detecting this activity requires looking for unusual uses of legitimate tools and services:

Type Value Description Context
process_name mshta.exe Monitor for mshta.exe making network connections, especially when launched by an Office application or from an LNK file. EDR, Process creation logs
process_name git.exe Look for git.exe running outside of expected developer directories or being executed by non-developer user accounts. EDR, Process creation logs
network_traffic_pattern jsdelivr.net, proton.me, codeberg.org While these are legitimate domains, traffic to them from unexpected processes or user accounts should be investigated. Proxy logs, DNS logs, SIEM
command_line_pattern git clone Monitor for git clone commands that point to suspicious or newly created repositories. EDR, Command-line logging

Detection & Response

  • Endpoint Detection and Response (EDR): EDR is critical for detecting this attack chain. It can identify the suspicious process execution flow (e.g., LNK -> mshta.exe -> git.exe) and alert on the abuse of legitimate binaries.
  • TLS/SSL Inspection: To detect malicious payloads being downloaded from trusted services, organizations need the ability to inspect encrypted traffic. This allows security tools to see the actual files being transferred from sites like GitHub and Proton Drive.
  • DNS and Proxy Log Analysis: Correlate DNS queries and web proxy logs. A user's machine making a request to proton.me followed by jsdelivr.net and then github.com, when initiated by mshta.exe, is a high-confidence indicator of this campaign.

Mitigation

  • Block LNK Attachments: Configure email gateways to block or quarantine .LNK files within archives, as they are a common vector for malware delivery.
  • Attack Surface Reduction (ASR): Use ASR rules to block mshta.exe from executing untrusted code and to prevent Office applications from creating child processes.
  • Restrict git.exe Execution: Use application control policies (like AppLocker) to restrict where git.exe can be executed from and by which users. It should generally not be run from a user's Downloads folder.
  • Educate Users: Train users to be suspicious of emails prompting them to download files from cloud storage services, even if the service itself is legitimate.

Top comments (0)