Monthly Threat Actor Group Intelligence Report, February 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from January 21, 2020 to February 20, 2020.

1. SectorA Activity Features

A total of one hacking group, SectorA05 group was discovered among SectorA groups this February.

SectorA05 group’s hacking activity was found in South Korea, Malaysia and Ukraine.

The SectorA05 group used malware in the form of Hangul(HWP) document file. Similar to the past, EPS(Encapsulated PostScript) is existing in the file. When executing the document, executable file which is collecting the infected system information is created.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of seven hacking groups, SectorB01, SectorB03, SectorB06, SectorB07, SectorB10, SectorB14 and SectorB22 groups were discovered among SectorB groups this February.

SectorB01 group’s hacking activity was found in Hong Kong, Iran and China. The SectorB01 group used malware variants they used in the past to target universities located in Hong Kong. The malware in the form of DLL file was disguised as components of normal software. Also, the malware is executed by DLL Side-Loading method.

SectorB03 group’s hacking activity was found in Singapore, Australia, South Korea, Hong Kong, United States, Vietnam, Romania, China, United Kingdom, Philippines and Gibraltar. The SectorB03 group used spear phishing emails attached with malware in the form of MS Word file. They used various infection method such as includes EXE file in the documents, downloads other malwares using BAT or PowerShell script file inside the objects. Finally, the downloaded malware uses DLL Side-Loading method and collects the information.

SectorB06 group’s hacking activity was found in Mongolia and China. The SectorB06 group used RTF document with the theme of the COVID-19, which is currently an issue worldwide. The document was disguised as a daily report on the current status of the COVID-19 written by the Ministry of Health in Mongolia.

SectorB07 group’s hacking activity was found in Malaysia, Kuwait, Vietnam, Laos, China and United States. The SectorB07 group used spear phishing emails attached with MS Word file. The document includes the vulnerabilities, CVE-2014-6352 and CVE-2017-0199. Also, the document generates and executes the executable file using macro scripts.

SectorB10 group’s hacking activity was found in Japan, Czech Republic and Thailand. The SectorB10 group used similar malware in the last 6 months. The malware has been used at least since mid-2018. In the malware, a modified version of the public source code was found in addition to the self-made malware.

SectorB14 group’s hacking activity was found in Vietnam, United Kingdom, Sweden, Singapore, Taiwan, China and United States. The SectorB14 group used malware in the form of RTF file included CVE-2017-11882 vulnerability. The contents of the document are news article about disputes between the Vietnamese government and local governments.

SectorB22 group’s hacking activity was found in India, France, United States, South Korea, Swiss, Cambodia, Ukraine, China, Australia, Vietnam and Hong Kong. The SectorB22 group used malware that has a function of creating a hidden directory when a removable storage device exists, and copying itself, Loader, DAT file to spread through the portable storage device. Also, it searches and compressed documents with specific extension to deliver to C2 server.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of one hacking group, SectorC08 group was discovered among SectorC groups this February.

SectorC08 group’s hacking activity was found in Ukraine, France, United States, Turkey, Slovakia, United Arab Emirates, Germany, Russia, China, India, Netherlands, Bulgaria.

The SectorC08 group used spear phishing emails. They download template file included malicious VBS scripts from attacker server.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of four hacking groups, SectorD01, SectorD05, SectorD12 and SectorD16, were discovered among SectorD groups this February.

SectorD01 group’s hacking activity was found in Kuwait, Lebanon, Libya, Jordan, Cyprus, United States, Armenia, Syria, Sweden, Turkey, Egypt, United Arab Emirates, Iraq and Albania. The SectorD01 group collects initial information to access DNS(Domain Name System) server using spear phishing email and known vulnerabilities. After accessing the DNS server using the collected information, the victim was manipulated to access the DNS server of the attacker. When the victim request to server, the IP of the MitM(Man in the Middle) server disguised as a normal service was returned to collect additional information such as certificates and account information.

SectorD05 group’s hacking activity was found in India. The SectorD05 group used spear phishing emails with malicious link to collect target’s account information. The backdoor used to collect information from the infected system and send it to the attacker was also found in this hacking activity.

SectorD12 group’s hacking activity was found in Spain, Germany, United Arab Emirates, Sweden, Poland, Netherlands, Saudi Arabia, China, Italy, India, United States, Israel and Japan. The SectorD12 group targeted ICS(Industrial Control Systems) organizations including the energy sector.

SectorD16 group’s hacking activity was found in Singapore, Philippines, United Arab Emirates, United States, Saudi Arabia, Austria, Italy, Hungary, Poland, France, Australia, Lebanon, Russia, Israel, India, Germany, Netherlands, Taiwan and Iran. The SectorD16 group used VPN Gateway system vulnerabilities, CVE-2019-11510, CVE-2018-13379 and CVE-2018-1579, to access the infected system. After accessing the internal system, they installed additional malware to try to Lateral Movement. The collected information such as account information, was send to the attacker server. They used various commercial programs with self-made malwares.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD.

Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of three hacking groups, SectorE01, SectorE02 and SectorE05, were discovered among SectorE groups this February.

SectorE01 group’s hacking activity was found in China, Japan, Hong Kong, United Kingdom and Italy. The SectorE01 group used malwares in the forms of MS Excel and Word file with the theme of the COVID-19. The malware delivers through spear phishing link to user.

SectorE02 group’s hacking activity was found in Germany, France and Italy. The SectorE02 group used RTF file executing malicious DLL using CVE-2017-11882 vulnerability similar to the past. The same malware name was found in the SectorE02 group’s activity over the past few months.

SectorE05 group’s hacking activity was found in Pakistan and United States. The SectorE05 group used android malware disguised as news app. When executing the malware, it collects location information, call log, account information and sends/receives SMS, records audio, changes network setting.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorH Activity Features

A total of two hacking groups, SectorH01 and SectorH03, were discovered among SectorH groups this February.

SectorH01 group’s hacking activity was found in United States, Vietnam, Australia, Poland, Denmark, Germany, Singapore, Portugal, Brazil, Hungary, Israel, Argentina, India, United Kingdom, Spain and Philippines. The SectorH01 group targets various service industries such as hotel, food service, tourism, casino. They used spear phishing emails attached with MS Word, Excel and PowerPoint document files.

SectorH03 group’s hacking activity was found in India, Swiss, United Arab Emirates and Russia. The SectorH03 group used spear phishing email attached with MS Excel file disguised as document about national defense.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

7. SectorL Activity Features

A total of one hacking group, SectorL01, was discovered among SectorL groups this February.

SectorL01 group’s hacking activity was found in Romania, Germany and Turkey.

The SectorL01 group used malware disguised as normal software installer such as WinRAR compressing utility similar to the past. The malware has a function to find sensitive documents after installing another backdoor for remote access, and communicates with the C2 server using SSL(Secure Sockets Layer).

The SectorL group aims to gather high-level information including political, diplomatic and military activities in countries nearby. However, recently there has been an increasing share of activities to obtain high-level information on politics, diplomacy and technology of other countries.

8. Cyber Crime Activity Features

A total of three hacking groups, SectorJ03, SectorJ04 and SectorJ09, were discovered among SectorJ groups this February.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ03 group’s hacking activity was found in Ireland, Romania, Palestine, Netherlands, United Kingdom, China, Columbia, Spain, South Korea, Canada, United States and Israel. The SectorJ03 group used spear phishing email attached with malicious link or attachments for initial infection method.

SectorJ04 group’s hacking activity was found in Ireland, Israel, Belgium, Mexico, Philippines, Spain, Italy, India, Japan, Hong Kong, Malaysia, Vietnam, Ukraine, Germany, Canada, Netherlands, China, United Kingdom, Australia, United Arab Emirates, Columbia, Austria, Portugal, Russia, Nigeria, Romania, Hungary, France, South Korea and United States. The SectorJ04 group used spam email using self-hosting email marketing solution. They mainly attacked to the financial sector. The malicious document in the form of MS Word file attached with spam email includes hidden macro scripts. When executing the scripts, malicious DLL is downloaded from attacker server and executed using “regsvr32.exe”.

SectorJ09 group’s hacking activity was found in United States, United Kingdom and India. The SectorJ09 group collects the user’s credit card payment information by inserting obfuscated skimming scripts on the website similar to the past. The JavaScript was hosted on another previously compromised websites, not on the attacker server.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.