Monthly Threat Actor Group Intelligence Report, October 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from September 21 to October 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA04, SectorA05 and Sector07 groups were discovered among SectorA groups this October. SectorA01 group’s hacking activity was found in areas including the United States, Philippines, the United Kingdom, Germany, Nigeria, South Korea and India. SectorA04 group were found in areas including South Korea, United States, Japan and India. Hacking activity of the SectorA05 group was found in South Korea and Ukraine. Hacking activity of the SectorA07 group was found in South Korea.

The SectorA01 group has hacked into cryptocurrency traders by distributing fake cryptocurrency trading programs to both macOS and Windows operating systems.

The SectorA04 group hacked into an ATM Machine operated by an Indian financial firm. The attack is similar to an incident in South Korea in the past, and is a hacking activity aimed at stealing card information input through the hacked ATM device and stealing real money.

The SectorA05 group used a Hangul file (HWP) that disguised it as an expert advisory request document containing the vulnerability. This activity was conducted to collect information related to the SectorA government from academia, universities, and research institutes.

Similar to SectorA05 group, SectorA07 group used malware in the form of a Hangul file. The Hangul file used cryptocurrency mining as a theme. It seems that the hacking activity was performed targeting individuals and organizations related to cryptocurrency trading and mining.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time, and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of seven hacking groups SectorB01, SectorB05, SectorB06, SectorB10, SectorB11, SectorB21 and SectorB22 were discovered among SectorB groups this October. The hacking activity of the SectorB01 group discovered to date include North and South America (including the United States and Brazil), the Middle East (including Turkey, Ukraine and Russian Federation). It was also found in Europe and in Asia (including Thailand, Singapore, Indonesia and South Korea). The SectorB05 group’s hacking activity was found in Vietnam. The SectorB06 group’s hacking activity was found targeting Russian Federation and South Korea. The SectorB11 group’s hacking activity was found in the United States, Poland and Vietnam. The SectorB21 group’s hacking activity was found in Tibet. The SectorB22 group’s hacking activity was found in Asia (including Cambodia, Philippines, Japan, Malaysia and Vietnam), in Europe (including United Kingdom, Ukraine and Russian Federation) and in Central Asia (including Turkmenistan).

The SectorB01 group is focused on using malware related to cryptocurrency, unlike past hacking purposes and activities. Until now, it is not clear why SectorB01 group was using this kind of malware, so it is worth paying attention to their hacking activities in the future.

The SectorB05 group used the name of a Russian security company in its electronic signature in its hacking activity targeting Vietnam.

The SectorB06 group has been spreading malware through fake Russian government websites. They targeted officials of Russian government agencies and intended to collect high-level information related to the activities of Russian government agencies.

The SectorB10 group has been targeting South Korean government agencies since 2016 up till now.

The SectorB11 group used spear phishing to target individuals related to the Vietnamese government. They attach malicious document files to their email, and used legitimate government documents such as official guidelines, official documents, press releases, and surveys as decoy files.

The SectorB21 group conducted a hacking campaign against the Tibetan government. They used various vulnerabilities against Windows, Mac and Android operating systems.

The SectorB22 group attached archive files that contained shortcut files to spear phishing emails and targeted to government agencies.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups SectorC01, SecotorC02 and SectorC04 were discovered among SectorC groups this October. Hacking activity of the SectorC01 group was found in the United States, Belarus, United Kingdom, Belgium, Ukraine and Canada. Hacking activity of the SectorC02 group was found in Belarus, Russian Federation, United Kingdom, Sweden, Georgia, Bulgaria, Brazil and Italy. Hacking activity of the SectorC04 group was found in Israel, Romania and Moldova.

The SectorC01 group used a spear phishing email which had an MS Word file attached. When executing the document file, it download a remote template hosted on Dropbox to downloaded execute a document which included a malicious macro script.

The SectorC02 group lured victims with malware disguised as legitimate software from illegal software download sites (warez) and monitors victim’s networks activity.

The SectorC04 group’s hacking campaign target government agencies performing diplomatic affairs. They used a spear phishing email that contained a link, and when the link was clicked, an image containing malware which was created with stenography was downloaded.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the government agencies supporting SectorC.

4. SectorD Activity Features

A total of six hacking groups SectorD01, SectorD02, SectorD05, SectorD10, SectorD11 and SectorD15 were discovered among SectorD groups this October. Hacking activity of the SectorD01 group was found in the United States and Ireland. Hacking activity of the SectorD02 group was found in Lebanon, Ireland, Iraq, South Korea and Canada. Hacking activity of the SectorD05 group was found in the United States and Israel. Hacking activity of the SectorD10 group was found in the United States. Hacking activity of the SectorD11 group was found in France, Saudi Arabia, the United States, Netherlands, Brazil and Russia. Hacking activity of the SectorD15 group was found in Algeria, the United Kingdom, the United Arab Emirates, Saudi Arabia and the United States.

The SectorD01 group modified malware that had DNS tunneling functions first discovered in November 2018 and reused it in this hacking activity.

The SectorD02 group attached a Microsoft Excel file containing a malicious macro to a spear phishing email. After that, the encoded VBS script would be decoded and executed using the the legitimate wscript.exe.

The SectorD05 group used social media to post malicious links that redirect to specific websites, or send SMS messages containing malicious links to individuals of opposition about government agencies. Sometime they used spear phishing emails that included malicious links.

The SectorD10 group was primarily hacking into universities in the United States and used emails containing malicious links redirect to phishing sites.

The SectorD11 group produced malicious APK files written in Persian and wanted to collect information from hacked Android-based smartphones.

The SectorD15 group created malicious websites using an American Gulf War veterans theme. The website, which says it will hire veterans, sends the input information to the attacker’s server.

SectorD groups conducted hacking activities targeting countries that are related to political rivalries to a certain country. The purpose of the recent hacking activities of the SectorD groups is to collect high-level information such as political and diplomatic activities of people or nations opposed to a specific government.

5. SectorE Activity Features

A total of three hacking groups SectorE02, SectorE04 and SectorE05 were discovered among SectorE groups this October. Hacking activity of the SectorE02 group was found in Pakistan and the United Kingdom. Hacking activity of the SectorE04 group was found in Taiwan, France, Russia, Germany, United States, Malaysia and China. Hacking activity of the SectorE05 group was found in China, Japan, Ukraine, Pakistan, the United States, Philippines and United Kingdom.

The SectorE02 group used malware with PDF file icons and the RLO (Right to Left Override) naming technique. A specific URL is accessed by the malicious code which downloads and executes additional malware.

The SectorE04 group used a malicious document file containing the CVE-2017-11882 vulnerability as an attachment to a spear phishing email. Via the vulnerability, it also downloads and runs HTA scripts.

The SectorE05 group used the SFX executable archive file as an attachment to the spear phishing email. Inside the compressed file, malware was embedded along with image files of auto parts produced by a specific Thai company.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded activity to East Asia and other regions, including China, where the share of activities to obtain high-level information on politics, diplomacy and technology of other countries is also increasing.

6. SectorF Activity Features

The SectorF01 group was discovered among SectorF groups this October. Hacking activity of the SectorF01 group was found in Cambodia.

The SectorF01 group used the SFX executable compressed file disguised with a MS Word document icon for hacking. The SFX file archive contained files with pkg and bin extensions.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their economic development.

7. SectorH Activity Features

The SectorH01 group was discovered among SectorH groups this October. SectorH01 group’s activity was found in China, Germany, Italy, Japan, Belgium, France, the Czech Republic and the United States.

The SectorH01 group attached malicious MS Excel files to spear phishing emails. The macro script embedded in the document file is configured to run HTA scripts hidden on the attacker’s Blogspot website.

The hacking activities of the SectorH group include hacking activity for both cyber crimes and government support purposes. In particular, as diplomatic friction with neighboring continues, activities to gather high-level military and political information from them will also continue.

8. SectorP Activity Features

A total of two hacking groups, SectorP01 and SectorP02 were discovered among the SectorP groups this October. Hacking activity of the SectorP01 group was found in Turkey, United States, Algeria, Kuwait, Syria, India, China and Germany. Hacking activity of the SectorP02 group was found in Canada, Syria, Austria, the United States and Turkey. SectorP group usually directly hacks websites, news media, and Twitter accounts to post images that relate to their political ideology or post criticisms of opposing forces.

The SectorP01 group is conducting hacking against dissidents who oppose political activity of certain governments, usually targeting Windows and Android systems.

The SectorP02 group used social engineering and watering hole techniques lead their targets to websites which distribute malware. The disseminated Android malware were mainly disguised as an installation program of normal software.

The hacking activity of the SectorP group were directed against dissidents who oppose political activity by certain governments. In particular, the proportion of malware that runs on Android smartphones is higher than that of Windows-based malware. This is due to the fact that internet usage in the country is higher in smartphones than in PCs, and the phone contains more information related to dissidents. These hacking activities are expected to continue in the future.

9. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ03, SectorJ04, SectorJ07 and SectorJ09 groups were discovered this October. Hacking activity of the SectorJ01 group was discovered in the United Kingdom, Russia, United States, United Arab Emirates, China, Romania and Bulgaria. Hacking activity of the SectorJ02 group was found in the Philippines. Hacking activity of the SectorJ03 group was discovered in India, United Arab Emirates and Jordan. Hacking activity of the SectorJ04 group was discovered in Bosnia, the United Kingdom, Slovenia, Canada, Germany, Switzerland, France, Poland, South Korea, Japan, the United States, United Arab Emirates and Spain. Hacking activity of the SectorJ07 group was found in Hong Kong, China, Hungary and Spain. Hacking activity of the SectorJ09 group was found in the Czech Republic and Ukraine.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

The SectorJ01 group includes malicious URLs in the body of spear phishing emails that download MS Word files which are disguised as visa-related documents.

The SectorJ02 group inserted skimmer code to a JavaScript library provided by an e-commerce service provider to many online stores. When customers payments were made using credit cards, the skimmer code secretly collected the credit card payment information.

The SectorJ03 group attached MS Word documents containing malicious macro scripts to spear phishing emails. The macro script downloads and executes a Visual Basic script from a specific URL, which then downloads and executes an MSI file from a specific server.

The SectorJ04 group continued using large-scale spam emails, and kept their existing characteristics such as using malicious documents with an Office theme. However, they have also started using a new malware written in C++ which other researchers have called SDBBot. It has the characteristic of using the SDB (Shim Database) file to maintain the persistence in the infected system.

The SectorJ07 group attacked Linux-based systems using ELF malware in the same manner as their past activities, continuously carrying out cryptomining activities.

Similar to the SectorJ02 group, the SectorJ09 group inserted a skimming script into web pages of several online stores to collect payment and personally identifiable information (PII) each time a credit card payment occurs.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.