NSFOCUS Security Labs uncovered AtlasCross, a newly identified APT actor conducting targeted phishing to compromise specific targets. The operation deploys two Trojan horses, DangerAds and AtlasAgent, with strong defense evasion and a standby C2 network. #AtlasCross #DangerAds
Keypoints
- AtlasCross is identified as a new, highly capable APT attacker with a targeted strike approach.
- A decoy document titled “Blood Drive September 2023.docm” targets Red Cross-related individuals to lure victims.
- The attack unfolds in three phases: decoy document, DangerAds loader, and AtlasAgent final payload.
-
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The attacker uses a decoy document titled “Blood Drive September 2023.docm” to lure victims and prompt macro enablement.
quotes: “the decoy document titled “Blood Drive September 2023.docm” with the United States Red Cross blood donation information as its topic.” - [T1053.005] Scheduled Task – The malicious macro sets up a scheduled task called “Microsoft Office Updates,” executed daily for 3 days.
quotes: “The malicious macro document then sets up a scheduled task called ‘Microsoft Office Updates’, which will be executed daily for 3 days after setting up.” - [T1218.005] Signed Binary Proxy Execution: InstallUtil – The loader uses InstallUtil.exe with /? to load the malicious package, enabling hidden execution.
quotes: “The scheduled task calls the component InstallUtil.exe of windows .net, using the /? parameter to call the help of the above ‘KB4495667.pkg’ file to realize over-protection and hidden execution of the malicious program.” - [T1071.001] Web Protocols – AtlasAgent communicates with CnC via HTTP and encrypts data (RC4/Base64).
quotes: “The AtlasAgent program made by AtlasCross … communicates with the CnC through HTTP protocol, encrypts communication data using Base64 encoding after RC4 encryption.” - [T1055] Process Injection – AtlasAgent uses kernel-layer injection (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx) to inject shellcode.
quotes: “AtlasAgent implements an injection method based on kernel-layer functions, which can inject shellcode into existing or new threads of other processes.” - [T1620] Reflective DLL Injection – sRDI-based reflective loading to load DLLs, reducing exposure.
quotes: “Reflective loading … to build shellcode parts. This scheme completes the operation of reflexively loading DLL programs.” - [T1497] Virtualization/Sandbox Evasion – DangerAds Loader starts only when host username/local domain matches criteria, preventing execution in VM/sandbox.
quotes: “The DangerAds Loader Trojan used by AtlasCross will only start when a correct username or local domain name is detected. This logic can effectively prevent itself from running in a virtualized environment.”
Indicators of Compromise
- [File Hash] Phishing document IOCs – 7195d7e4926a0a85fbe81e40ab7c0ca4, f8bafe2ce6f11a32109abbab1c42e2cf, and 2 more hashes
- [Domain] AtlasAgent CnC domains – data.vectorse.com, activequest.goautodial.com, and 10 more domains
- [File Path] PDB path – C:UsersinvokeopsDocumentsCode atlasagentx64ReleaseAtlasDLL.pdb
- [File Name] Stage 1 artifacts – KB4495667.zip, KB4495667.pkg
- [Encryption Key] RC4 key – 5haFDov20qfZnyAw4QrtSgAATN7uEkVF(UTF-8)