The cyberespionage group known as APT24, also identified as LuckyMouse and Emissary Panda, has been linked to a sophisticated supply chain attack targeting a government entity in the Middle East. The campaign involved the deployment of a previously undocumented malware backdoor named BadAudio. This operation represents the first publicly documented instance of APT24 leveraging a supply chain compromise for initial network access, marking a notable evolution in the group’s tactics.
The Supply Chain Compromise
The attack vector involved the compromise of a legitimate website belonging to a European audio company. APT24 trojanized a legitimate software installer, version v4.3.0.exe, which was then hosted on the compromised site for download. Employees of the targeted Middle Eastern government entity, who use this specific audio software, were the intended victims. Researchers determined that the malicious installer was likely available for download from the compromised website between September 2022 and September 2023.
BadAudio Malware Analysis
The trojanized installer package contained the legitimate application files alongside two malicious components: msvcr100.dll and ffmpeg.dll. The first file, msvcr100.dll, is a malicious loader that executes using a technique known as DLL side-loading. This loader is responsible for decrypting and launching the main payload contained within ffmpeg.dll. The payload, BadAudio, is a modular backdoor designed for espionage. It communicates with a Command and Control (C2) server over TCP using a complex and encrypted protocol. The malware supports various plugins to extend its information-stealing capabilities.
ESET researchers, who discovered the campaign, attribute the attack to APT24 with high confidence. This attribution is based on significant code similarities and network infrastructure overlaps with known APT24 tools, including the SysUpdate malware family and the HyperBro backdoor.
Concise Cyber 