CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
99.7%
A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT.
The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week.
βThe first campaign on June 24, 2024 used an Office document, while the second campaign contained a link,β the company noted. βBoth campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of 9002 RAT.β
APT17 was first documented by Google-owned Mandiant (then FireEye) in 2013 as part of cyber espionage operations called DeputyDog and Ephemeral Hydra that leveraged zero-day flaws in Microsoftβs Internet Explorer to breach targets of interest.
Itβs also known by the monikers Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, with the adversary sharing some level of tooling overlap with another threat actor dubbed Webworm.
9002 RAT, aka Hydraq and McRAT, achieved notoriety as the cyber weapon of choice in Operation Aurora that singled out Google and other large companies in 2009. It was also subsequently put to use in another 2013 campaign named Sunshop in which the attackers injected malicious redirects into several websites.
The latest attack chains entail the use of spear-phishing lures to trick recipients into clicking on a link that urges them to download an MSI installer for Skype for Business (βSkypeMeeting.msiβ).
Launching the MSI package triggers the execution of a Java archive (JAR) file via a Visual Basic Script (VBS), while also installing the legitimate chat software on the Windows system. The Java application, in turn, decrypts and executes the shellcode responsible for launching 9002 RAT.
A modular trojan, 9002 RAT comes with features to monitor network traffic, capture screenshots, enumerate files, manage processes, and run additional commands received from a remote server to facilitate network discovery, among others.
βThe malware appears to be constantly updated with diskless variants as well,β TG Soft said. βIt is composed of various modules that are activated as needed by the cyber actor so as to reduce the possibility of interception.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.