The threat group APT-Q-27 has been actively attacking Web3 customer support teams This article explores windows protection victim. . The attackers use fake links to screenshots in live chat windows to secretly install a backdoor that stays on the victim's computer.
The group, which is also known as GoldenEyeDog, has been around since at least 2022 and has a long history of going after the gambling and cryptocurrency industries. Instead of waiting for victims to accidentally click on a bad page, the attackers go straight to the support queue and pretend to be confused customers who need help with a transaction. The malware also quietly turns off User Account Control on three different registry keys, which takes away a key layer of Windows protection without the victim ever seeing a prompt.
The last implant talks to 37 hardcoded command-and-control servers over TCP port 15628 and registers itself as a Windows service called "Windows Eventn," which is a misspelling meant to make it look like a service. The staging directory looks like the Windows Update cache path, and every installation has a hardcoded @27 tag in the name of the directory. Security teams should block all outgoing connections on TCP port 15628 and add the 37 C2 IP addresses that are already known to be bad to their network blocklists.
If you look for the registry value "SystemUpdats" and staging directories with the @27 suffix, you'll find active infections. Detection rules should also trigger an alert when all three UAC registry keys are disabled at the same time, since no legitimate software does this.
This alone would show the lure file for what it is and bring the infection to light for everyone to see. We don't know if any of the 37 C2 addresses listed in this article are still on the C2 network. Computerworld first published this article.
We are glad to say that this is not the case, and we have been asked to make it clear that we are not responsible for what this article says.
