Monthly Threat Actor Group Intelligence Report, December 2019
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from November 21 to December 20, 2019.
1. SectorA Activity Features
A total of three hacking groups, SectorA01, SectorA05 and SectorA07 groups were discovered among SectorA groups this December. SectorA01 group’s hacking activity was found in Italy, Indonesia, Ukraine, United Kingdom, United States, South Korea and China. SectorA05 and SectorA07 group’s hacking activity was found in South Korea.
The SectorA01 group used files disguised as macOS installers (DMG) distributed by cryptocurrency exchange.
The SectorA05 group used an executable (EXE) file disguised using the Hangul file icon. The file was disguised as a document of a government agency.
The SectorA07 group used malware in the form of Hangul document files (HWP) for attacks which included PostScript code.
The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.
2. SectorB Activity Features
A total of nine hacking groups SectorB01, SectorB03, SectorB04, SectorB05, SectorB09, SectorB10, SectorB11, SectorB14 and SectorB22 group were discovered among SectorB groups this December.
SectorB01 group’s hacking activity was found in Japan, Germany, United Kingdom, South Korea, Israel, Thailand, New Zealand, Philippines, Vietnam, Hong Kong, United States, Taiwan and India. SectorB04 group’s hacking activity was found in South Africa, Taiwan, United States, China and Hong Kong. SectorB05 group’s hacking activity was found in Czechia and Cyprus. SectorB09 group’s hacking activity was found in United States and East Asia including Hong Kong, Taiwan, Japan, China and South Korea. SectorB10 group’s hacking activity was found in Japan, United States, Czechia, China and United Kingdom. SectorB11 group’s hacking activity was found in Poland, Canada, Cambodia, Hong Kong and United States. SectorB14 group’s hacking activity was found in Vietnam and China. SectorB22 group’s hacking activity was found in Vietnam, China and Peru.
The SectorB01 group used RTF file containing an exploit. When executing malicious document, an executable file is dropped and executed. The encoded object name contained in the RTF file was “8.t”. This characteristic is often found in RTF files used by the SectorB group.
The SectorB03 group used the method of side loading malicious DLL files from legitimate EXE file. In the past, the group hard-coded the C2 server address inside the DLL files. However, for this hacking activity, the configuration information needed to connect to the C2 server was stored in the registry using Base64 and DES encoding.
The SectorB04 group mainly attacked telecommunications companies. The group attacked the target system by attacking vulnerabilities on web services connected to the internet. After accessing the target system, they installed WebShell and additional malware.
The SectorB05 group used malware to modify the registry to disable the security configuration of browsers installed on infected systems.
The SectorB09 group a used MS Word file with macro scripts as an attachment to a spear phishing email. The group’s hacking method is similar to the past.
The SectorB10 group used spear phishing emails written in Japanese and Chinese sent from a legitimate address. The email contained an executable file disguised as a document file using a document file icon, or a malicious document containing a vulnerability.
The SectorB11 group used spear phishing emails which attached MS Excel files with malicious macros. The macro scripts used “msiexec.exe” to download a VBS script from the attacker server. The C2 server where the VBS scripts were downloaded from was discovered in the hacking activity of the SectorB11 group in the past.
The SectorB14 group used spear phishing emails which attached RTF documents containing exploits as an attachment. Similar to the past hacking activity of the SectorB14 group, their executable malware file is generated by decoding an object within the document file.
The SectorB22 group used spear phishing emails which attached a LNK file disguised as PDF file as an attachment. The group’s hacking activities were conducted targeting specific local interior ministries in Vietnam.
The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.
3. SectorC Activity Features
A total of two hacking groups, SectorC01 and SectorC08, were discovered among SectorC groups this December. SectorC01 group’s hacking activity was found in Germany, Australia, Canada, Peru, Poland, Malaysia, Japan, Mexico, South Africa, Sweden, Singapore, United States and China. SectorC08 group’s hacking activity was found in Netherlands, Russia, Singapore, United States, Italy, Bulgaria, Lithuania, India, Ukraine, Latvia.
The SectorC01 group attempted phishing to steal login credentials from various US international intelligence agencies. The group used an international government department’s email service to disguise the courier service website.
The SectorC08 group used the templates injection technique.
The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.
4. SectorD Activity Features
A total of three hacking groups, SectorD01, SectorD05 and SectorD08, were discovered among SectorD groups this December. SectorD01 group’s hacking activity was found in Mexico, United Kingdom, United States, Saudi Arabia, Taiwan and United Arab Emirates. SectorD05 group’s hacking activity was found in Brazil and Japan. SectorD08 group’s hacking activity was found in South Korea, Brazil, Argentina, France and United States.
The SectorD01 group used C2 server domain “posion-frog.club”.
The SectorD05 group used PowerShell scripts to communicate to specific C2 servers. Malicious code will download an executable file after communicating with the specific C2 server.
The SectorD08 group used “mimikatz”, and “HttpFileServer” was used as a file server.
SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.
5. SectorE Activity Features
A total of one hacking group, SectorE02, was discovered among SectorE groups this December. SectorE02 group’s hacking activity was found in areas including France, China, Thailand, Pakistan, Hong Kong and Greece.
The SectorE02 group used spear phishing emails with attached RTF files written in Greek similar to the hacking activity found in November 2019. The RTF file was created using CVE-2017-11882 vulnerability.
Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.
6. SectorF Activity Features
The SectorF01 group was discovered among the SectorF groups this December. SectorF01 group’s hacking activity was found in areas including China, Malaysia, Ukraine and United Kingdom.
The SectorF01 group mainly used the DLL Side Loading method using executable compressed file, similar to the past. In the compressed file, there was a malicious DLL and an executable file disguised with a MS Word icon.
The SectorF01 group aims to gather high-level information including political, diplomatic and military activities on countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.
7. SectorH Activity Features
The SectorH01 group was discovered among SectorH groups this December. SectorH01 group’s hacking activity was found in areas including Russia, Turkey, Thailand, Mexico, Italy, France, Costa Rica, Bolivia, United States, Brazil, Portugal, Chile, Argentina, Colombia and Spain.
The SectorH01 group mainly conducted attacks targeting the hotel and tourism industries. The group used spear phishing emails with attached malware in the form of document such as MS Word, Excel and PDF.
The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.
8. SectorP Activity Features
A total of two hacking groups, SectorP01 and SectorP03, were discovered among the SectorP groups this December. The SectorP01 group’s hacking activity was found in areas including United States and China. The SectorP03 group’s hacking activity was found in areas including Russia, United States and Palestine.
The SectorP01 group used phishing websites to distribute malicious APK files for attacking the Android system. The malware aims to collect call logs, SMS, screenshots, contacts and files.
The SectorP03 group used self extracting archives with MS Word program icons. When it executes, it downloads the obfuscated script from the C2 server by using “mshta.exe” and then de-obfuscates it by using PowerShell.
The hacking activity of the SectorP groups were directed against dissidents who oppose political activity by certain governments. The SectorP group aims to gather high-level information including political, diplomatic and military activities of persons or country against their government.
9. Cyber Crime Activity Features
A total of seven cybercrime groups, SectorJ01, SectorJ03, SectorJ04, SectorJ05, SectorJ09, SectorJ10 and SectorJ14, were discovered this December. The SectorJ01 group’s activity was found in areas including United Kingdom, China, Germany, Latvia, Italy, Canada, Qatar, Finland, Argentina, Poland, United States, South Korea, United Arab Emirates, Turkey, Belarus, Thailand, France, Ukraine and Romania. The SectorJ03 group’s activity was found in areas including United States, Japan, Palestine, China, Russia, Bangladesh and India. The SectorJ04 group’s activity was found in areas including Germany, Belarus, Austria, Sri Lanka, United States, India, Philippines, Israel, Russia, Czechia, Pakistan, Bosnia Herzegovina, Serbia, Croatia, Denmark, United Kingdom, Canada, Malaysia, Argentina, France, Sweden, Mexico, South Korea, Spain, Turkey, Ecuador, Ukraine, Brazil, Egypt, Bulgaria, Iran, and New Zealand. The SectorJ05 group’s activity was found in areas including Senegal. The SectorJ09 group’s activity was found in areas including United States, Mexico, Japan, Italy, India, Poland, Peru, Brazil and Norway. The SectorJ10 group’s activity was found in areas including the United States. The SectorJ14 group’s activity was found in areas including Iran, Taiwan, Pakistan, Indonesia, Kazakhstan, Bangladesh, Vietnam, India, Russia, South Korea and Japan.
The SectorJ01 group distributed ransomware in Germany and Italy, and the group distributed newly modified Trojan horse in the United States.
The SectorJ03 group attempted to attack using SFX archives last November, but this December the group used normal RAR compressed files.
The SectorJ04 group used various hacking method such as email, malicious links, PDF while targeting finance departments. And they mainly exploited vulnerabilities of WinRAR CVE-2018-20250, and their malware were signed with a certificate issued by a specific company.
The SectorJ05 group hacked into ATM machines similar to past hacking activity in August 2019.
The SectorJ09 group mainly insert skimming scripts to collect user’s payment information and PII. Skimmers have been found in dozens of online shoe stores.
The SectorJ10 group targeted POS systems.
The SectorJ14 group used various hacking method such as DNS hijacking using South Korea’s router and hacking Android and iOS systems.
The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.