HQ/EMEAFind out how we can help your business
Recent research found that APT17, a Chinese-affiliated threat group, is targeting Italian businesses and government entities with a variation of the renowned 9002 RAT malware. The attacks occurred on June 24 and July 2, 2024, indicating a concerning increase in APT17’s cyber espionage activity.
APT17, also known by many identities, including Aurora Panda, Bronze Keystone, and Hidden Lynx, has been active since at least 2013. Their earlier operations included high-profile efforts such as Operation Aurora in 2009, which primarily targeted Google and other important organisations, and the 2013 Sunshop campaign, which entailed introducing malicious redirects into numerous websites. The gang is well-known for using zero-day vulnerabilities in Microsoft Internet Explorer to gain unauthorised access to their targets.
In recent attacks, APT17 used sophisticated spear-phishing techniques.
On June 24, the APT17 gang sent out an Office document intended to confuse users, while the July 2 attack used a fake link. Both attacks instructed victims to download a Skype for Business installation package from a domain that resembled an Italian government website. This seemingly trusted software bundle really served as a conduit for the 9002 RAT malware.
The malicious payload was transmitted via the MSI installation “SkypeMeeting.msi”. When run, this installer launches a Visual Basic Script (VBS) that executes a Java archive (JAR) file. The JAR file then decrypts and executes the shellcode, which launches the 9002 RAT virus. This virus is noted for its modular design, which allows it to do a variety of malicious tasks, such as monitoring network traffic, taking screenshots, enumerating files, and managing processes. It can also carry out commands sent from a remote server and aid in network discovery.
One of the most alarming elements of the 9002 RAT is its capacity to regularly upgrade itself, including the use of diskless variations to prevent further detection. The constant growth of malware is a purposeful move by cyber adversaries to avoid security measures and assure the efficiency of their operations.
Overall, APT17’s recent activities have shown a high level of sophistication and persistence, emphasising the continuous threat posed by advanced persistent threat groups. The deployment of such complex malware and methods emphasises the importance of strong cybersecurity defences to prevent such targeted attacks.
