Monthly Threat Actor Group Intelligence Report, January 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from December 21, 2019 to January 20, 2020.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and Sector07 groups were discovered among SectorA groups this January.

SectorA01 group’s hacking activity was found in the United States, Nigeria, Ukraine, China and Spain. SectorA02 group’s hacking activity was found in South Korea. SectorA05 group’s hacking activity was found in United States, South Korea and Japan. SectorA07 group’s hacking activity was found in Germany, Russia, France, Japan, Malaysia and South Korea.

The SectorA01 group was targeting MacOS in this hacking activity.

The SectorA02 group used HWP files similar to past hacking methods.

SectorA05 group used double extension WSF file disguised as image file extension (.jpg). The wfs file was compressed.

The SectorA07 group used MS Word file with malicious macro scripts as an attachment to a spear phishing email.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of five hacking groups SectorB03, SectorB06, SectorB08, SectorB10 and SectorB22 group were discovered among SectorB groups this January.

SectorB03 group’s hacking activity was found in United States. SectorB06 group’s hacking activity was found in China. SectorB08 group’s hacking activity was found in Vietnam, India, Russia and South Korea. SectorB10 group’s hacking activity was found in Japan, India and China. SectorB22 group’s hacking activity was found in China, Hong Kong, United States, Myanmar, India, Mongolia, Philippines and Ukraine.

The SectorB03 group used the hacking method of loading malicious DLLs into normal executable files. Recently, they used a rootkit module targeting Windows 10.

The SectorB06 group used a document file in the form of an RTF having an OLE object. The document file uses CVE-2018-0798 vulnerability and creates the usual “8.t” file in “%TEMP%” directory.

The SectorB08 group used document files similar to the past. Among the used document files, when executing the file there was a malware named after a South Korean antivirus vendor. Similar to the past, they used a decoding method that creates and decodes the “8.t” file.

The SectorB10 group used spear phishing emails written in Japanese and Chinese sent from a legitimate address. The email contained either an executable file disguised as a document file using a document file icon or a malicious document exploiting a vulnerability.

The SectorB22 group used compressed files containing a normal Word file, LNK file and malicious DLL files. When executing the normal document file, the malware gets executed at the same time.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were discovered among SectorC groups this January.

SectorC01 group’s hacking activity was found in Ukraine and United States. SectorC08 group’s hacking activity was found in United States, China, Latvia, India, Germany, Turkey, Russia, Belgium, Netherlands and Ukraine.

The SectorC01 group conducted hacking activities targeting Ukrainian companies related to US government agencies. They used fake web sites disguised as login services of web emails to collect their target’s account information.

The SectorC08 group used spear phishing emails. From the attacker server, template files which included malicious VBS scripts are downloaded. When executing the downloaded template file, VBS scripts included in template file runs and performs malicious actions such as collecting information.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of two hacking groups, SectorD01 and SectorD02, were discovered among SectorD groups this January.

SectorD01 group’s hacking activity was found in Bahrain, Japan, United Kingdom, Greece, India, Arab Emirates, France, Germany, Brazil and Switzerland. SectorD02 group’s hacking activity was found in Brazil, France, Mexico, Hong Kong, Iraq, Georgia, India and Turkey.

The SectorD01 group used their “Wiper” malware to attack oil company located in Bahrain. They accessed their victim’s network and VPN servers using remote code execution vulnerability of a VPN program. They obtained domain administrator and service accounts. The antivirus management console server was used to distribute the “Wiper” malware to other systems on the network.

The SectorD02 group used spear phishing emails which attached malware in the form of MS Excel file. The email was made with a refugee health care theme.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of two hacking group, SectorE02 and SectorE04, were discovered among SectorE groups this January.

SectorE02 group’s hacking activity was found in Hong Kong, Arab Emirates, Russia, France, Germany, Pakistan and United States. SectorE04 group’s hacking activity was found in Netherlands, Vietnam, Taiwan, Arab Emirates, Russia, Georgia, India, Maldives, Japan, Pakistan, United Kingdom, Germany, Singapore, United States and China.

The SectorE02 group used spear phishing emails which attached malware in the form of MS Excel file. When executing the Excel file, the macro scripts run and download additional files from a remote location and registers them as a Windows service to maintain persistence.

The SectorE04 group used malicious RTF files exploiting the CVE-2017-11882 vulnerability. The document file was disguised as an Indian Navy theme. Finally, a malicious DLL loads through a legitimate program named “rekeywiz.exe”.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorH Activity Features

The SectorH03 group was discovered among SectorH groups this January.

SectorH03 group’s hacking activity was found in India.

The SectorH03 group used MS Excel file contained macro scripts. When executing the document, remote control malware is installed in the infected system. In the same period, malware disguised as Opera browser installation files also have been found.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

7. Cyber Crime Activity Features

A total of two cybercrime groups, SectorJ01 and SectorJ09, were discovered this January.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ01 group’s hacking activity was found in Russia, United Kingdom and United States. SectorJ09 group’s hacking activity was found in United States.

The SectorJ01 group used the hacking method of loading malicious DLLs file into normal executable files.

Similar to the past hacking activity, the SectorJ09 group insert skimming scripts to web sites to collect user’s credit card payment information.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.