A China-connected threat actor, dubbed, has been observed targeting Italian companies and government agencies using a variant of the known malware, 9002 RAT.
Two targeted attacks occurred on June 24 and July 2, 2024, according to a report released by Italian cybersecurity firm TG Mushy last week.
The company’s primary marketing campaign on June 24, 2024 utilized a Workplace document, whereas the second campaign featured a hyperlink. Here is the rewritten text:
“A series of malicious campaigns prompted victims to download a Skype for Business package via a link on an Italian government-appearing website, ultimately installing a variant of the 9002 Remote Access Trojan.”
In 2013, Mandiant (now FireEye), owned by Google, initially documented APT17 as a component of cyber espionage operations dubbed “Eternity Dark” and “Operation Deputy Minute,” which exploited zero-day vulnerabilities in Microsoft’s Internet Explorer to compromise targets of interest.
It is also known as Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, or TEMP.Avengers; this group shares some extent of tooling overlap with a notorious actor known simply as.
As notorious hackers, aka Hydraq and McRAT, gained infamy for their involvement in Operation Aurora, a sophisticated cyberattack in 2009 that targeted major corporations including Google. In a subsequent 2013 attack, malicious redirects were injected into multiple websites as part of another campaign.
Newly emerged assaults leverage spear-phishing tactics to deceive victims into activating hyperlinks leading to an MSI installer prompt, ostensibly for obtaining Skype for Enterprise (“SkypeMeeting.msi”).
The installation of the MSI bundle initiates the execution of a Java archive (JAR) file via a Visual Basic Script (VBS), ultimately installing the legitimate chat software on the Windows operating system. The Java software, which is responsible for executing the payload, ultimately decrypts and runs the shellcode capable of initiating a 9002 Remote Access Trojan (RAT).
A sophisticated tool, known as a 9002 RAT, empowers users to monitor website visitors, capture screen shots, gather system data, control processes, and execute custom commands received from a remote server, offering a range of features for community exploration.
The malware appears to maintain a constant level of sophistication by consistently incorporating diskless variants. The system’s modular architecture allows for flexible activation of components by the cyber actor, thereby minimizing the risk of interception.
