An entity connected to China known as APT17 has targeted companies and governmental entities in Italy with a version of the 9002 RAT malware.
As per an analysis by the Italian cybersecurity firm TG Soft released last week, the two attacks occurred on June 24 and July 2, 2024.
“The initial attack on June 24, 2024, was initiated using an Office file, while the subsequent attack contained a hyperlink,” as mentioned by the firm in a published report. “Both assaults prompted the target to download a Skype for Business package from a website resembling an official Italian domain, leading to the deployment of a variant of the 9002 RAT malware.”
Initial documentation of APT17 was carried out by Mandiant, a subsidiary of Google (then known as FireEye) in 2013 as part of cyber espionage known by the names DeputyDog and Ephemeral Hydra. These operations exploited zero-day vulnerabilities in Microsoft’s Internet Explorer to infiltrate specific targets.
It is also recognized under various aliases such as Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, sharing some tooling elements with another group known as Webworm.
9002 RAT, also called Hydraq and McRAT, gained prominence as a malicious tool favored in Operation Aurora, which specifically targeted Google and other major corporations in 2009. It was also utilized in a subsequent campaign in 2013 known as Sunshop, wherein the attackers injected corrupt redirects into multiple websites.
The recent attack sequences involve deploying spear-phishing tactics to deceive recipients into clicking on a provided link, which instructs them to download an MSI installer for Skype for Business (“SkypeMeeting.msi”).
Upon running the MSI package, a Java archive (JAR) file is executed through a Visual Basic Script (VBS) and simultaneously installs the legitimate chat software on the Windows system. The Java application decodes and initiates the shellcode responsible for launching the 9002 RAT malware.
A modular trojan, 9002 RAT, offers features for monitoring network traffic, capturing screenshots, enumerating files, managing processes, and executing additional commands received from a remote server to facilitate network discovery, among other functionalities.
“The malware is regularly updated with diskless variations as well,” noted TG Soft. “It comprises diverse modules that are activated as necessary by the threat actor to minimize interception risks.”
About Author
