A novel APT hacking group, AtlasCross, has been detected, aiming at organizations by employing phishing techniques that disguise themselves as the American Red Cross, with the ultimate goal of deploying backdoor malware.

The cybersecurity entity NSFocus unveiled two hitherto unknown trojans, DangerAds and AtlasAgent, linked with onslaughts by this emerging APT faction.

According to findings by NSFocus, AtlasCross hackers display advanced and elusive tactics, making it difficult for researchers to pinpoint their roots.

NSFOCUS Security Labs conveyed through their findings that the methodologies utilized by this APT group considerably deviate from the generally known characteristics of such attackers, spanning across aspects like execution pathways, technical stacks, tools, operational specifics, goals, behavior patterns, and other crucial identification markers.

The group’s adeptness in technique and their prudent approach during operations has been highlighted as noteworthy.

AtlasCross Operational Methodology

The modus operandi of AtlasCross typically starts with a phishing email, crafted to appear as if it’s from the American Red Cross, inviting the receiver to be part of a “September 2023 Blood Drive.”

Such emails usually have an appended macro-activated Word document (.docm). Recipients are enticed to click on “Enable Content” to reveal concealed information.

However, succumbing to this action activates harmful macros that subsequently compromise the Windows machine with DangerAds and AtlasAgent malware.

The initial step for these macros involves unzipping a package on the Windows device which releases a file named KB4495667.pkg, identified as the DangerAds system profiler and malware dispatcher. A recurrent task, titled “Microsoft Office Updates,” is set up to initiate DangerAds for a consecutive three days.

DangerAds primarily works as a conduit, evaluating the host milieu and executing embedded shellcode when specific string matches are discovered in the system’s user or domain name, exemplifying AtlasCross’s precise targeting strategy.

In due course, DangerAds initiates x64.dll, recognized as the AtlasAgent trojan, marking the culmination of the malicious payload delivery.

Insights into AtlasAgent

AtlasAgent, tailored in C++, encompasses principal features like extracting host and process specifics, thwarting the activation of numerous applications, executing supplementary shellcode on the infiltrated machine, and fetching files from the attacker’s command and control servers.

On its inaugural activation, this malware dispatches details to the attacker’s servers, which cover information like local computer identity, network device specifics, local IP, network card data, OS design and version, and an ongoing process enumeration.

Subsequent to this, the attacker’s servers reciprocate with directives for AtlasAgent to follow. These commands are either processed via new pathways or amalgamated within current processes, complicating detection by security mechanisms.

AtlasAgent is equipped to handle a myriad of commands ranging from obtaining system and process details to directly running shellcode or introducing it into particular processes.

Despite NSFocus’s unveiling of this new hacking ensemble, AtlasCross remains an enigma, functioning with ambiguous intentions and a nebulous target range.

AtlasCross’s preference for discreet incursion techniques, even at the cost of efficacy, along with its customized trojans and malware dispatchers, hints at their capability to function covertly for an unspecified span.