Monthly Threat Actor Group Intelligence Report, April 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from March 21, 2020 to April 20, 2020.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA03, SectorA05 and SectorA07 groups were discovered among SectorA groups this April.

SectorA01 groups hacking activity was found in South Korea, Japan and Germany. The SectorA01 group used spear phishing emails including malware in the form of Hangul document file(HWP). The document is an official document written to track suspected patient of the COVID-19. The name of the local area in the document has been changed depending on the target and distributed to each local government.

SectorA03 groups hacking activity was found in China. The SectorA03 group used vulnerabilities to control the server, it targets specific VPN server. The targets of SectorA03 group are VPN servers of government agencies in Beijing and Shanghai and diplomatic agencies of China located in overseas.

SectorA05 groups hacking activity was found in South Korea and Hong Kong. The SectorA05 group used malware in the form of MS Word document file. The document has theme of general elections and North Korean human rights.

SectorA07 groups hacking activity was found in China. The SectorA07 used malicious document themed with North Korea’s COVID-19 situation and actual article related to North Korea’s COVID-19-themed cybercrime activity. When the document is executed, the built-in macro scripts download additional malware from the attacker server.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of five hacking groups, SectorB02, SectorB09, SectorB20, SectorB22 and SectorB26 groups were discovered among SectorB groups this April.

SectorB02 groups hacking activity was found in Hong Kong, Japan and Czechia. They attacks iOS mobile devices using watering hole attacks or posts containing malicious links.

SectorB09 groups hacking activity was found in Taiwan and Japan. The SectorB09 distributed malwares executing on the Linux OS after hacking the web servers related to the academic network.

SectorB20 groups hacking activity was found in Malaysia, India and Germany. The SectorB20 group used executable files disguised as a MS Word document file. When the malware is executed, it shows the Word document written in Malaysian and sends the system information such as username of infected system, network information, OS information to the attacker server.

SectorB22 groups hacking activity was found in Malaysia, Mongolia, China, United Kingdom, Pakistan and Russia. The SectorB22 group used RTF file containing the same vulnerabilities as their previous hacking activity. The data found in this hacking activity were identical to those used in the past by several hacking groups supported by SectorB.

SectorB26 groups hacking activity was found in Tibet, Canada and Netherlands. The SectorB26 group used Watering Hole attack to collect the web site visitor’s information. Attackers had download fake Adobe Flash updater program to users who are considered targets among multiple users visiting the website.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC04 and SectorC08, were discovered among SectorC groups this April.

SectorC01 groups hacking activity was found in Kazakhstan and Azerbaijan. The SectorC01 group used variant of malware written in Go language. Also, they used malware in the form of MS Excel file disguised as invoice written in Azerbaijani.

SectorC04 groups hacking activity was found in United States, Canada, Georgia, Germany, Slovakia and Czechia. The SectorC04 group targeting the Think Thank sector in Western countries for a long time using similar malware. The malware performs activity such as collecting information of infected system, uploading and downloading files, executing remote shell commands. 

SectorC08 groups hacking activity was found in South Korea, Singapore, United Arab Emirates, Philippines, China, Turkey, Australia, United States, Turkmenistan, Cyprus, Netherlands, Georgia, Hungary, Germany, Ukraine, Poland, United Kingdom, Slovakia, Romania and Armenia. The SectorC08 group used spear phishing emails attached with malicious MS Word or Excel documents. They mainly used COVID-19 or Ministry of Foreign Affairs of Ukraine theme. When the malware in the form of document is executed, it used Template Injection method, which downloads other “.DOT” file from server.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of two hacking groups, SectorD02 and SectorD11, were discovered among SectorD groups this April.

SectorD02 groups hacking activity was found in Palestine, Jordan, Vietnam, Turkey and Russia. The SectorD02 group used spear phishing emails attached MS Word file containing macro scripts. When macro script is executed, it collects information of infected system such as OS version, internal IP, computer name, domain name, username using PowerShell script and sends it to the attacker server.

SectorD11 groups hacking activity was found in Syria and Qatar. Following March, the SectorD11 group used Android malware themed with COVID-19.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of two hacking groups, SectorE02 and SectorE04, were discovered among SectorE groups this April.

SectorE02 groups hacking activity was found in Pakistan, India, Switzerland, Netherlands and United States. The SectorE02 group used Android malwares having various theme such as system tools, storage, game.

SectorE04 groups hacking activity was found in China, United States, Pakistan and Russia. The SectorE04 group used LNK file disguised as PDF file. When the file is executed, it downloads HTA file from attacker server. The file executes RAT(Remote Access Trojan) malware and collects information such as user information, device information and network information.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

A total of one hacking group, SectorF01 was discovered among SectorF groups this April.

SectorF01 groups hacking activity was found in China and Singapore. Similar to the past, the SectorF01 group continuously used DLL Side Loading method to loads malicious DLL file through a normal MS Word program.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.

7. SectorH Activity Features

A total of two hacking groups, SectorH01 and SectorH03, were discovered among SectorH groups this April.

SectorH01 groups hacking activity was found in Germany, Brazil, Greece, Portugal, Russia, Argentina, Austria, Czechia, United Kingdom, Bulgaria, Romania, Croatia, Cyprus, Italy, Kazakhstan, Serbia, Sweden, Turkey, Moldova, Hong Kong, Netherlands, United States, Colombia, South Korea, Spain, France, Ukraine and Poland.

The SectorH01 groups used spear phishing emails attached with RTF file. It used Template Injection method to download MS Excel file or Word document file with containing macro scripts.

SectorH03 groups hacking activity was found in Pakistan, Czechia and Russia. The SectorH03 group used the malware which drops remote access trojan malware and performs information collection functions such as collecting login information stored in the browser and collecting files.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

8. Cyber Crime Activity Features

A total of three hacking groups, SectorJ01, SectorJ04 and SectorJ09, were discovered among SectorJ groups this April.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ01 groups hacking activity was found in United States, Japan, United Kingdom and Ukraine. The SectorJ01 group used BadUSB disguised as being sent from a specific US retailer, it was delivered it to the target along with gift card. In another of their hacking activities, malware in the form of a VBS file disguised as an invoice document was discovered.

SectorJ04 groups hacking activity was found in Germany, Belgium, Portugal, United States, United Kingdom, China, India, South Korea, Denmark, Hungary, Hong Kong, Canada, France, Austria, Italy, New Zealand, Romania, Australia, Netherlands, South Africa, Ireland, Morocco, Russia, Qatar, Japan, Vietnam and Norway.
They kept the way which is attaching MS Office-type malware to spam mails, and in this hacking activity, files for HTML redirects were also found as attachments. Finally, it downloads Ransomware or Banking Trojan on the infected system.

SectorJ09 groups hacking activity was found in Germany, United States and Canada. The SectorJ09 group collects the user name, address, email, phone number and credit card payment information by inserting obfuscated skimming scripts on the website similar to the past. Some of the IP addresses found in this activity have also used to host Android banking Trojans.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.