Two targeted campaigns against Italian government entities and companies used a diskless variant of Rat 9002 attributed to APT17 (DeputyDog). The operations combined spearphishing with an Office document and a malicious link to deliver a Skype for Business MSI, followed by a modular RAT payload and covert C2 infrastructure. #APT17 #DeputyDog #Rat9002 #Rat3102 #EquitaliaGiustizia #SkypeMeeting
Keypoints
- Two targeted attacks were observed on Italian organizations in June and July 2024, using a diskless RAT 9002 variant tied to APT17 (DeputyDog).
- The campaigns combined an Office document (June 24) and a malicious link (July 2) to lure victims into installing a Skype for Business package from a government-like domain.
- The attacker delivered a custom MSI (SkypeMeeting.msi) downloaded from a Microsoft URL and executed via a VBScript dropper, triggering the RAT payload.
- The infection chain involves a Java-based dropper (vcruntime.jar) executed through a VBScript (vcruntime.vbs) and RC4-encrypted shellcode (vcruntime.bin).
- RAT 9002 is modular, capable of loading plugins (ScreenSpyS.dll, RemoteShellS.dll, UnInstallS.dll, FileManagerS.dll, ProcessS.dll) to extend functionality (screen capture, remote shell, etc.).
- The malware communicates with a C2 server over domains/IPs (themicrosoftnow.com; 137.74.76.92; 23.218.225.10) with encrypted/Base64-encoded traffic.
- Campaigns show sophistication, including legitimate-looking domains and prior-active malware lineage linked to Operation Aurora and Ephemeral Hydra.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The first campaign on June 24, 2024 used an Office document. ‘The first campaign on June 24, 2024 used an Office document.’
- [T1566.002] Spearphishing Link – The July 2 campaign directly uses a link to the malicious URL. ‘The July 2 campaign instead directly uses a link to the malicious URL.’
- [T1059.005] VBScript – The VBScript ‘vcruntime.vbs’ runs commands to launch Java and MSI, as shown in the infection chain. ‘the execution of the Java application called “vcruntime.jar” via the VBS script “vcruntime.vbs”.’
- [T1218.005] Msiexec – The installer uses Windows Installer to deploy SkypeMeeting.msi, which installs Skype for Business and launches the malware chain. ‘The execution of SkypeMeeting.msi will therefore involve the installation of the original Skype for Business package…’
- [T1027.001] Obfuscated/Encrypted Files and Information – RC4-encrypted shellcode within vcruntime.bin. ‘contains a shellcode encrypted with RC4’
- [T1113] Screen Capture – The RAT modules include ScreenSpyS.dll for screen capture. ‘ScreenSpyS.dll -> screen capture’
- [T1071.001] Web Protocols – C2 communications occur over web protocols with encryption and Base64 encoding. ‘Communication with the command and control server takes place in an encrypted manner and then encoded in Base64.’
- [T1082] System Information Discovery – Discovery commands executed to learn host/network information (systeminfo.exe, ipconfig, net user, etc.). ‘systeminfo.exe’, ‘ipconfig /all’, ‘net user’, ‘netstat -ano -p tcp’ and other discovery commands.
Indicators of Compromise
- [Domain] C2 and malicious hosting domains – themicrosoftnow.com, meeting.equitaligaiustizia.it, meeting.equitaliagiustizia.it
- [IP] Known C2 endpoints – 137.74.76.92, 23.218.225.10
- [URL] Malicious links used to deliver the MSI and lure victims – https://meeting.equitaligaiustizia.it/angelo.maisto.guest, https://meeting.equitaliagiustizia.it/angelo.maisto.guest/MB9GVM5K
- [URL] Download/installer URL for MSI – https://skypeformeeting.file.core.windows.net/skypeformeeting/SkypeMeeting.msi?… (full query string in article)
- [File name] SkypeMeeting.msi, SkypeMeetingsApp.msi, a.exe, vcruntime.jar, vcruntime.vbs, vcruntime.bin
- [SHA-256] 28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e, de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0, e024fe959022d2720c1c3303f811082651aef7ed85e49c3a3113fd74f229513c, d6b348976b3c3ed880dc41bb693dc586f8d141fbc9400f5325481d0027172436, c0f93f95f004d0afd4609d9521ea79a7380b8a37a8844990e85ad4eb3d72b50c, caeca1933efcd9ff28ac81663a304ee17bbcb8091d3f9450a62c291fec973af5
Read more: https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng&web_view=true