Threat Research

Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks

GoogleCloudIntel

Google Threat Intelligence Group (GTIG) reports that PRC‑nexus threat actor APT24 has run a three‑year espionage campaign delivering a heavily obfuscated first‑stage downloader named BADAUDIO—often using strategic web compromises, supply‑chain compromise of a Taiwanese marketing firm, and targeted phishing to deploy AES‑encrypted payloads such as Cobalt Strike Beacon. The report details BADAUDIO’s control‑flow flattening, DLL sideloading execution chain, fingerprinting‑based targeting, extensive infrastructure churn, and provides IOCs and YARA rules for detection. #BADAUDIO #APT24 #CobaltStrikeBeacon #twisinbeth.com

Keypoints

  • APT24 has operated a multi‑year campaign (≈3 years) using BADAUDIO, a custom C++ first‑stage downloader that retrieves AES‑encrypted payloads from hard‑coded C2 servers.
  • BADAUDIO employs advanced obfuscation (control‑flow flattening) and typically executes via DLL Search Order Hijacking, often delivered inside encrypted archives with VBS, BAT, and LNK helpers to automate placement and persistence.
  • Initial access vectors evolved from broad strategic web compromises using injected fingerprinting JavaScript to targeted supply‑chain attacks against a regional digital marketing firm in Taiwan affecting >1,000 domains and tailored spear‑phishing campaigns using cloud storage links.
  • The injected JavaScript used FingerprintJS to generate browser fingerprints for selective targeting and returned fake update dialogs to trick Windows users into running the malware.
  • BADAUDIO collects basic host info, hashes it, and embeds the value in cookie headers to fetch and decrypt subsequent payloads; at least one payload was a Cobalt Strike Beacon with a reusable watermark tied to APT24.
  • GTIG disrupted the campaign by adding sites/files to Safe Browsing blocklists, notifying victims, creating detection logic and YARA rules, and publishing IOCs and C2 domain lists to assist defenders.
  • Indicators include multiple compromised/typosquatted domains, BADAUDIO binary hashes, and Cobalt Strike watermark metadata—enabling detection of supply‑chain and web compromise artifacts.

MITRE Techniques

  • [T1574.001] DLL Search Order Hijacking – BADAUDIO “typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking … for execution via legitimate applications.”
  • [T1195.001] Compromise Software Supply Chain: Compromise of a third‑party JavaScript library – “injected the malicious script into a widely used JavaScript library … provided by the firm, leveraging a typosquatting domain to impersonate a legitimate CDN.”
  • [T1059.007] JavaScript: Dynamic dependency loading – “The script dynamically loads legitimate jQuery and FingerprintJS2 libraries … from a public CDN if not already present, ensuring consistent execution.”
  • [T1059] Command and Scripting Interpreter: JS obfuscation – “the highly obfuscated script … was deliberately placed within a maliciously modified JSON file … which was then loaded and executed by another compromised JavaScript file.”
  • [T1082] System Information Discovery – Advanced fingerprinting via FingerprintJS2 to generate a device hash: “FingerprintJS2 is utilized to generate an x64hash128 browser and environmental fingerprint … to create a unique, consistent identifier for the user’s device.”
  • [T1041] Exfiltration Over C2 Channel – Covert data staging/exfiltration via POST of Base64-encoded reconnaissance data: “A POST request, transmitting Base64-encoded reconnaissance data (including host, url, useragent, fingerprint, referrer, time, and a unique identifier), is sent to an attacker’s endpoint.”
  • [T1105] Ingress Tool Transfer / Adaptive Payload Delivery – Dynamic loading of subsequent scripts from URLs returned by C2: “Successful C2 responses trigger the dynamic loading of a subsequent script from a URL provided in the response’s data field … leading to BADAUDIO landing pages.”
  • [T1189] Drive-by Compromise / Strategic Web Compromise – Use of injected JavaScript on compromised sites with conditional targeting: “legitimate websites were weaponized through the injection of a malicious JavaScript payload … excluding non‑Windows platforms to focus on Windows systems.”

Indicators of Compromise

  • [File Hashes] BADAUDIO binaries and strategic web compromise artifacts – examples: 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182, 88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213 (and many more hashes).
  • [Domains] Stage 2 / C2 and landing pages – examples: wispy.geneva.workers.dev, clients.brendns.workers.dev, and other attacker domains such as www.twisinbeth.com and www.availableextens.com.
  • [Modified Supplier / JS filenames] Compromised vendor resources and modified JSON/JS files – context: malicious JS/JSON served by supplier (examples: modified supplier JS entries referenced in GTIG collection; sample identifiers in report).
  • [Cobalt Strike Watermark] Beacon identifier – Watermark_Hash: BeudtKgqnlm0Ruvf+VYxuw== (used to link Beacon samples to APT24 activity).
  • [YARA Rules] Detection signatures – GTIG provided YARA rules (G_Downloader_BADAUDIO_1 … _4) with specific byte patterns and strings (e.g., “SystemFunction036”, base64 character set marker) for BADAUDIO detection.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/