{ "name": "Analysis report on recent phishing attacks by APT-C-48 (CNC)", "slug": "analysis-report-on-recent-phishing-attacks-by-apt-c-48-cnc", "description": "APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF files and adds spaces to filenames to hide extensions. Upon execution, the malware downloads a decoy document and additional attack components. The sample employs anti-debugging and anti-VM techniques, self-deletion mechanisms, and establishes persistence through scheduled tasks. The attack pattern and tactics are consistent with previous APT-C-48 activities, particularly their focus on the education and research sectors.", "published": "2024-12-03T15:30:06+00:00", "created_at": "2024-12-03T15:30:06+00:00", "modified_at": "2024-12-03T15:51:48+00:00", "created_at_opencti": "2024-12-03T15:30:06+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-12-03", "anti-debugging", "anti-vm", "apt-c-48", "spear-phishing" ], "related_entities": { "observables": [ { "id": "", "name": "https://panbaiclu.com/Metadata/indexes" }, { "id": "", "name": "https://panbaiclu.com/Guide/Architecture.pdf" }, { "id": "", "name": "https://panbaiclu.com/Guide/structure" }, { "id": "", "name": "https://panbaiclu.com/APIs/BaiduSearchAPI" }, { "id": "", "name": "panbaiclu.com" } ], "intrusion_sets": [ { "id": "f661b692-92e6-4e33-bdd8-188fa586a9eb", "name": "APT-C-48 (CNC)", "slug": "apt-c-48-cnc" } ], "attack_patterns": [ { "id": "e8189670-a7bf-47fe-9b43-f3c1add0a2db", "name": "T1036.002" }, { "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4", "name": "T1497.003" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" } ], "others": [ { "id": "", "name": "Healthcare" }, { "id": "", "name": "Media" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Education" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247504896&idx=1&sn=42097a09cd3420fd7168ba1afc84939e&chksm=f9c1e709ceb66e1fd732a72853e48466ae332109a6200a58c1ddab56e1c7d90b902cbbd64027&scene=178&cur_album_id=1955835290309230595#rd", "https://otx.alienvault.com/pulse/674f320e0b9b2ccf9b494112" ] }