HQ/EMEAFind out how we can help your business
The new AtlasCross APT is an elusive group currently employing a sophisticated phishing tactic that impersonates the American Red Cross, intending to deploy its backdoor malware to unsuspecting targets.
This hacker group allegedly has two previously undocumented trojans called DangerAds and AtlasAgent, acting as the delivery mechanism for the group’s malicious payloads.
AtlasCross group is a unique cybercriminal group since its operations include sophistication and evasiveness in its campaigns. However, the group is still a mystery for many researchers since they could not pinpoint its origin, as the attackers execute a distinctive modus operandi that diverges from common attacker characteristics.
The AtlasCross APT weaponised the American Red Cross.
According to investigations, the AtlasCross APT starts its attacks with a phishing email that mimics the American Red Cross. This technique allows them to bait recipients into participating in a fake “September 2023 Blood Drive.”
In addition, phishing email stores a macro-enabled Word document that prompts recipients to click “Enable Content” to access attached hidden information. However, this action triggers malicious macros that will compromise the victim’s Windows device with DangerAds and AtlasAgent malware.
Subsequently, the macros will extract a ZIP archive on the target’s device that would deploy a file called KB4495667.pkg, which is the DangerAds system profiler and malware loader. The attack process also creates a scheduled “Microsoft Office Updates” task to establish persistence and launch DangerAds daily for three days.
Furthermore, this loader assesses the infected environment. The attack will run a built-in shellcode if it identifies specific system strings. Lastly, the DangerAds’ x64[.]dll component will load the AtlasAgent trojan, which is the final payload of this operation.
Unfortunately, AtlasCross remains a mysterious threat actor with unclear motives and a broad targeting scope. Their selective targeting, use of specially crafted trojans and loaders, and preference for a low-profile infection campaign have allowed them to operate undetected for an extended period.
Companies should be more vigilant about these phishing campaigns. Everyone should invest in potent cybersecurity measures to protect their digital assets against this emerging threat.
Finally, the American Red Cross has warned recipients to verify emails with their names on them since the earlier-mentioned hackers have an ongoing abuse of the name.
