In particular, the file has a malicious link contained in it that, when clicked, starts a multi-stage infection process that spreads the SpyGlace trojan, which is a DLL file called TaskControler.dll that can steal files, load plugins, and execute commands. To trick and persuade the user that the document is a standard spreadsheet, the exploit developers included an image of the spreadsheet's rows and columns inside the spreadsheet. The malicious hyperlink was incorporated into the image so that the exploit would be activated when clicking on any cell within the image.

According to experts, APT-C-60 is thought to have been operating since 2021, with SpyGlace having been discovered in the field as early as June 2022. Regardless of whether the group created or purchased the exploit for CVE-2024-7262, it undoubtedly took considerable investigation into the application's internal workings as well as familiarity with how the Windows loading process functions.

The exploit is clever because it is both highly reliable and effective, and it is deceptive enough to fool any user into clicking on a spreadsheet that seems authentic. The attackers were able to transform a code execution vulnerability into a remote one by selecting the MHTML file type. The information was released when the cybersecurity firm discovered that a malicious third-party plugin called ScreenShareOTR (or ss-otr) for the Pidgin messaging app contained code that was meant to download next-stage binaries from a command-and-control (C2) server, which in turn caused the DarkGate malware to be deployed.

As advertised, the plugin's functionality allows for screen sharing via the safe off-the-record messaging (OTR) protocol. Nevertheless, the plugin also has malicious code in it. In particular, certain iterations of pidgin-screenshare.dll can download and run a C2 server PowerShell script. Since then, the plugin has been taken down from the list of third-party plugins, even though it still includes keylogger and screenshot-capturing functionality. It is advised that users who have already installed the plugin delete it right away.

Since then, researchers have discovered that an app named Cradle, which claims to be an open-source derivative of the Signal communications app, has also been revealed to contain the same malicious backdoor code as ScreenShareOTR. Since September 2023, the software has been accessible for download for over a full year.

A PowerShell script is used to download the malicious malware, which subsequently installs DarkGate by fetching and running a constructed AutoIt script. An ELF program that downloads, runs, and transmits shell commands to a remote server is provided by the Linux version of Cradle. Another typical clue is that the Cradle program and the plugin installer are both certified with a legitimate digital certificate belonging to a Polish company. This suggests that the malware is being distributed by criminals using multiple techniques.

Impact

• Cyber Espionage
• Remote Code Execution
• Data Theft
• Keylogging

Indicators of Compromise

Domain Name

• rammenale.com

IP

• 162.222.214.48
• 131.153.206.231

MD5

• 9f88234068d7abad65979eb1df63efb5
• b14ef85a60ac71c669cc960bdf580144

SHA-256

• 6174276f94219bc386bdc628ca18eaec261998b7bd03077562fe93c268b42446
• 861911e953e6fd0a015b3a91a7528a388a535c83f4b9a5cf7366b8209d2f00c3

SHA-1

• 7509b4c506c01627c1a4c396161d07277f044ac6
• 08906644b0ef1ee6478c45a6e0dd28533a9efc29

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.