A highly skilled but previously unknown advanced persistent threat (APT) group targeted victims using an American Red Cross blood drive phishing lure and two novel trojan horse malware tools.
The fake blood drive campaign was discovered by NSFOCUS Security Labs researchers who believe the threat group behind it “is highly likely to deploy this attack process into larger-scale network attack operations."
In a Sept. 25 post, the NSFOCUS researchers said the new group, which they named AtlasCross, demonstrated a high level of technical skills combined with “strong process and tool development capabilities” and a “cautious attack attitude."
The researchers said AtlasCross’ approach was “quite different from known attacker characteristics in terms of execution flow, attack technology stack, attack tools, implementation details, attack objectives, behavior tendency and other main attribution indicators."
NSFOCUS could not determine AtlasCross’ origins but described the group’s attack processes as highly robust and mature.
“On the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology stack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection, execution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency.”
Red Cross used as bait
The AtlasCross phishing campaign decoy document examined by NSFOCUS was a Microsoft Word macro-enabled file titled “Blood Drive September 2023.docm."
Targets who proceeded to open the lure were shown a McAfee logo and a message that the file was protected by McAfee DLP. They were encouraged to click “Enable Content” in response to Word’s standard security warning for macro-enabled files.
If the victim complied with the request to enable macros, the hidden content of the file was opened, displaying a Red Cross flyer headed “Become A Blood Donor."
Meanwhile, malicious marco code in the document dropped a malware program on the victim’s system in the form of a .PKG file.
It’s not the first time threat actors have abused the reputation of the Red Cross for nefarious purposes. Following Hurricane Katrina in 2005, a Miami man was imprisoned after pleading guilty to selling phishing kits that included software used to develop a phony American Red Cross relief website.
The organization is also an attractive target for threat groups, especially because of the large amount of personally identifiable information it holds.
AtlasCross deploys novel malware
The .PKG file dropped by AtlasCross was a loader trojan – dubbed DangerAds by NSFOCUS – that executed a built-in shellcode used to load the final payload in the attack process, another novel trojan NSFOCUS calls AtlasAgent.
“The main functions of the (AtlasAgent) trojan are to obtain host information, process information, prevent opening of multi-programs, inject specified shellcode and download files from CnC (command and control) servers,” the researchers said.
As well as noting the high standards of AtlasCross’ attack techniques and tools, the researchers said residual debug code they observed in the threat actor’s self-developed trojans demonstrated the APT gang was still working to improve its attack process.
“These characteristics reflect the high-level threat nature of this attacker, who may continue to organize other cyberattack activities against key targets after this attack,” they said.
