A new advanced persistent threat (APT) hacking group named AtlasCross has been discovered targeting organizations with phishing lures impersonating the American Red Cross to deliver backdoor malware.
Cybersecurity firm NSFocus identified two previously undocumented trojans, DangerAds and AtlasAgent, associated with attacks by the new APT group.
NSFocus reports that the AtlasCross hackers are sophisticated and evasive, preventing the researchers from determining their origin.
The group’s attacks begin with a phishing email that pretends to be from the American Red Cross, requesting the recipient to participate in a “September 2023 Blood Drive.” The email contains a macro-enabled Word document (.docm) attachment that urges the victim to click “Enable Content” to view the hidden content. Doing so will trigger malicious macros that infect the Windows device with the DangerAds and AtlasAgent malware.
DangerAds functions as a loader, assessing the host environment and running built-in shellcode if specific strings are found in the system’s username or domain name. This suggests that AtlasCross has a narrow targeting scope, focusing on specific organizations or industries. Eventually, DangerAds loads x64.dll, which is the AtlasAgent trojan, the final payload delivered in the attack.
The sources for this piece include an article in BleepingComputer.
