Exploring the Cyber Tactics of New APT Group Actor240524 Targeting Azerbaijan and Israel – Insights from NSFOCUS, Inc., a Leader in Global Cybersecurity Solutions.

MITRE Techniques

• [T1566] Spearphishing – Brief description: Used spear-phishing emails to target diplomats. “Used spear-phishing emails to target diplomats.”
• [T1203] Execution – Malicious Macro – Brief description: Executed malicious macro code embedded in a Word document. “Executed malicious macro code embedded in a Word document.”
• [T1071] Command and Control – Brief description: Connected to a C2 server for remote command execution. “Connected to a C2 server for remote command execution.”
• [T1003] Credential Dumping – Brief description: Stole sensitive data from compromised systems. “Stole sensitive data from compromised systems.”
• [T1546.001] Persistence (COM Hijacking) – Brief description: Used vcruntime190.dll and vcruntime220.dll for persistence. “Used vcruntime190.dll and vcruntime220.dll for persistence.”
• [T1027] Obfuscated/Compressed Files and Information – Brief description: Important strings within the program and key API functions are encrypted to counteract sandbox detection. “Important strings within the program (file paths, file names, keys, error messages, C2 addresses) and key API functions are encrypted to counteract sandbox detection and static analysis.”
• [T1497] Virtualization/Sandbox Evasion – Brief description: Anti-analysis checks to evade sandboxes; e.g., BeingDebugged/ NtGlobalFlag checks. “The BeingDebugged field and the NtGlobalFlag flag are checked to determine if the process is being debugged.”