A recently discovered APT hacking group named ‘AtlasCross’ is targeting organizations by using phishing lures that impersonate the American Red Cross. Their aim is to deliver backdoor malware to their victims.
NSFocus, a cybersecurity firm, has identified two previously undisclosed trojans, DangerAds and AtlasAgent, which are associated with the attacks carried out by this new APT group.
According to NSFocus, the AtlasCross hackers are sophisticated and difficult to trace, making it challenging for researchers to determine their origin.
“After conducting a thorough analysis of the attack process, NSFOCUS Security Labs found that this APT attacker is quite distinctive in terms of execution flow, attack technology stack, attack tools, implementation details, attack objectives, behavior tendency, and other main attributes compared to known attacker characteristics,” NSFocus explains.
“The technical level and cautious approach demonstrated by this attacker during this activity also deserve attention.”
AtlasCross attack chain
AtlasCross attacks begin with a phishing message that appears to be from the American Red Cross. The email requests the recipient’s participation in a “September 2023 Blood Drive.”
These emails contain a macro-enabled Word document (.docm) attachment that prompts the victim to click “Enable Content” to view hidden information.
However, clicking on the link will activate malicious macros that infect the victim’s Windows device with the DangerAds and AtlasAgent malware.
The macros first extract a ZIP archive on the Windows device to release a file named KB4495667.pkg. This file serves as the DangerAds system profiler and malware loader. A scheduled task called “Microsoft Office Updates” is then created, which launches DangerAds daily for three days.
DangerAds acts as a loader, assessing the host environment and executing built-in shellcode if specific strings are found in the system’s username or domain name. This targeted approach showcases AtlasCross’s focused targeting.
Eventually, DangerAds loads x64.dll, which is the AtlasAgent trojan and the final payload delivered in the attack.
AtlasAgent is a custom C++ trojan with core functions that include extracting host and process details, preventing the launch of multiple programs, executing additional shellcode on the compromised machine, and downloading files from the attacker’s C2 servers.
Upon initial execution, the malware sends information to the attacker’s servers, such as the local computer name, network adapter information, local IP address, network card details, OS system architecture and version, and a list of running processes.
The attacker’s servers then respond with commands for AtlasAgent to execute. This can be done using new threads or within one of the existing processes, making it harder for security tools to detect and stop.
In addition, AtlasAgent supports various commands, including obtaining computer system information, executing a reverse shell, obtaining data from the command and control server, debugging, pausing the program, obtaining process information, injecting shellcode, creating mutexes, and exiting loops.
While NSFocus’ report is the first to detail this new hacking group, AtlasCross is still a relatively unknown threat with unclear motives and targeting scope.
They have managed to operate undetected for an unknown period of time by selectively targeting victims, using custom-made trojans and malware loaders, and preferring discreet infection methods over efficiency.