Google exposes BadAudio malware used in APT24 espionage campaigns

China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods.\n\nStarting July 2024, APT24 compromised multiple times a digital marketing company in Taiwan that provides JavaScript libraries to client websites. Through this tactic, the attackers injected malicious JavaScript into a widely used library that the firm distributed and registered a domain name that impersonated a legitimate Content Delivery Network (CDN). This enabled the attacker to compromise more than 1,000 domains.\n\nThe malware is engineered with control flow flattening—a sophisticated obfuscation technique that systematically dismantles a program’s natural, structured logic, GTIG explains in a report today. This method replaces linear code with a series of disconnected blocks governed by a central ‘dispatcher’ and a state variable, forcing analysts to manually trace each execution path and significantly impeding both automated and manual reverse engineering efforts.\n\nFrom the eight samples GTIG researchers provided in their report, only two are flagged as malicious by more than 25 antivirus engines on the VirusTotal scanning platform. The rest of the samples, with a creation date of December 7, 2022, are detected by up to five security solutions.\n\nRead the complete article here.