Actor240524 Attack Detection: Novel APT Group Targets Israeli and Azerbaijani Diplomats Using ABCloader and ABCsync Malware

Defenders have discovered a novel APT group dubbed Actor240524, which applies an advanced adversary toolkit to evade detection and gain persistence. At the turn of July 2024, adversaries performed a spear-phishing campaign against diplomats from Azerbaijan and Israel. Attackers leveraged a malicious Word document featuring content in Azerbaijani and masquerading as official documentation designed to steal sensitive data from the targeted users.

Detect Actor240524 Malicious Activity

The ongoing rise in phishing attacks against organizations in diverse industry sectors continues to be a significant hurdle for cyber defenders. The use of AI technologies for offensive purposes has contributed to this challenge, leading to a staggering 856% increase in malicious emails in 2024 and intensifying the problem. SOC Prime Platform for collective cyber defense equips security teams with a set of curated context-enriched detection algorithms to help them thwart emerging phishing attacks, including content addressing the recent spear-phishing campaign by the new APT Group, Actor240524. 

Click the Explore Detections button to reach relevant detections filtered by the custom tag “Actor240524”. All Sigma rules are compatible with industry-leading SIEM, EDR, and Data Lake technologies, aligned with the MITRE ATT&CK® framework, and enriched with tailored threat intel. 

Explore Detections

Security engineers can also obtain the entire collection of SOC content to detect malicious activity associated with APT attacks by clicking this link. 

Actor240524 Attack Analysis

Researchers at NSFOCUS Security Labs recently identified a novel spear-phishing campaign against Israeli and Azerbaijani diplomats, weaponizing Word files disguised as official documents and embedded with harmful macro code. The analysis of attacker TTPs has uncovered no link to any known APT groups, enabling defenders to track the novel adversary activity as Actor240524. 

The offensive campaign appears to be focused on the cooperative relationship between the two nations, specifically targeting diplomatic personnel from both countries via a phishing attack vector. Actor240524’s operation employed newly developed Trojan programs, identified as ABCloader and ABCsync, to steal sensitive data while evading detection.

The infection chain starts with a weaponized phishing Word document containing blurry images. Clicking triggers a macro code, which uses the embedded VBA program to decode and save the malicious payload to a specific path and execute ABCloader. Once the ABCloader is executed, it leads to decrypting and releasing three executable files and then loading a DLL, the ABCsync malware. The latter connects to the C2 server to execute the corresponding tasks and spread the infection further.

ABCsync malware serves as the primary attack payload, with major functions including executing remote shells, altering user data, and stealing user files from the compromised system. Both Trojans use persistent detection evasion techniques, including encryption of key elements like strings and API calls. Moreover, they actively monitor the process environment for signs of debugging, such as the BeingDebugged field and NtGlobalFlag, and utilize NtQueryInformationProcess to detect debugging states, effectively countering anti-malware analysis efforts.

Actor240524 leverages a multi-stage attack with a set of offensive tools, including synchronize.exe, a loader akin to ABCloader, which decrypts itself to maintain persistence. The files vcruntime190.dll and vcruntime220.dll hijack legitimate system components to execute synchronize.exe, ensuring the loader’s ongoing presence in the system.

The emergence of sophisticated hacking groups, like Actor240524, which experiments with versatile offensive tools to maintain persistence and enable remote control underscores the need for strengthening defensive capabilities. Rely on SOC Prime’s Attack Detective to enhance your organization’s SIEM posture, proactively thwart attacks by adversaries most challenging your business, obtain a prioritized detection stack for high-fidelity alerting, and automate threat hunting routine.