Monthly Threat Actor Group Intelligence Report, May 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21, 2020 to May 20, 2020.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA05 and SectorA07, were discovered among SectorA groups this May.

SectorA01 group activities have been found in Korea, the United States, Russia, France, Singapore, and Pakistan. The attackers used spear-phishing email, which contained malware in the form of MS Word or Hangul (HWP) files. The bait documents subjects were the contract of the defense industry and the recruitment for engineers, and documents written in Korean with the theme of “Korea-US relations” were also found. During this period, Hangul file malware targeting cryptocurrency exchange companies and individuals in Korea was discovered, and Hangul file malware disguised as a job posting by the energy company was also found.

The activities of the SectorA05 group were found in Korea. Attackers used malware disguised as Korea or oversea enterprise Antivirus software installation files and update files. The DLL file found in this time was also found in SectorA05 group activities that using malicious document disguised as resumes in April.

SectorA07 group activities have been found in Korea, China, Hong Kong, Vietnam, Germany and France. The attackers used the COVID-19 theme the same as last month. When malicious document run, the macro script creates an executable file and downloads additional malware from the hard-coded attacker’s server address.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of five hacking groups SectorB01, SectorB06, SectorB08, SectorB20 and SectorB22 group were discovered among SectorB groups this May.

SectorB01 group activities was found in Taiwan. The attackers have spread ransomware to gas, oil and energy related organizations in Taiwan.

SectorB06 group activities have been found in Mongolia, China, Singapore, India and the United States. The attacker used the RTF document containing the CVE-2017-11882 vulnerability, the document has a file name written in Mongolian.

SectorB08 group activity was found in Vietnam. Attackers used spear-phishing emails with malicious document in the form of MS Excel files disguised as schedule table. Both spear-phishing emails and malicious document were written in Vietnamese, and it can be seen that this activity was conducted against Vietnamese Official.

SectorB20 group activities have been found in Malaysia, Indonesia, Vietnam, the Philippines, Myanmar, India, Brunei, Belarus, the United States, China and Germany. The attacker using various method: the RTF file containing the malicious object file, the compressed file containing the normal executable file and the malicious DLL file, or the Self-extracting archive file. It similar to the hacking method used by other SectorB groups.

SectorB22 group activities have been found in Russia, Hong Kong, Uzbekistan, Kazakhstan, Algeria, Cyprus, Philippines, Korea, and the United States. Attackers mainly attacked gas, energy, and telecommunications operators, and some attacks against government agencies were also identified.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02 and SectorC08, were discovered among SectorC groups this May.

SectorC01 group activity was found in Korea. The attacker utilized the malware in the MS Word file format and uses the included macro script to decode the Base64-encoded internal object to generate the malware.

SectorC02 group activities have been found in Malaysia, the United Kingdom, Germany, Italy, the Czech Republic and Russia. The Backdoor used in this activities, that targeting Linux operating system was 64-bit ELF file type. The malware disguised itself as a Cron program used for scheduling tasks on a Linux server.

SectorC08 group activities have been found in Ukraine, Georgia, Russia, China, Belgium, Germany, Armenia, Belarus and Hungary. The attacker exploited the malicious document in the MS Word file format, and the CVE-2017-0199 or CVE-2017-11882 vulnerabilities were used. When executing the document, the MS Word template file is downloaded from a remote location, and the macro script embedded in the downloaded file is executed to drop and execute the malware.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of four hacking groups, SectorD02, SectorD04, SectorD05 and SectorD12 were discovered among SectorD groups this May.

SectorD02 group activities have been found in Iraq, Ukraine, Canada, Russia and Korea. The attacker attached a malware in the form of an MS Excel file containing a macro script to a spear-phishing email. When the macro script included in the document is executed, drop and execute the legitimate WScript.exe program and Visual Basic Script file.

SectorD04 group activities have been found in Israel, Pakistan, the United States, France, the Netherlands, Kenya, Taiwan, Chile and South Africa. They mainly carried out hacking activities aimed at collecting information for telecommunications operators. They spread malware mainly through compromised websites and used spear-phishing emails containing links to those websites.

The SectorD05 group sent spear-phishing emails written in connection with the Corona Virus (COVID-19) to the World Health Organization (WHO), news media, and Think Tank organizations. The email contains a malicious link, when clicking it will take you to a page for collecting user email account information.

The activity of the SectorD12 group was found in the Netherlands. During this hacking activity, the powershell script type malwares was hosted by Pastebin. It downloads additionally malware from the hard-coded attacker server.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of two hacking groups, SectorE02 and SectorE04, were discovered among SectorE groups this May.

SectorE02 group activity has been found in Pakistan, Sri Lanka, Lithuania, Hong Kong, India, Germany, United Kingdom, United States and Korea.
They utilize malicious document in the form of MS Excel files that contain macro scripts, and when executed, a window that looks like an error message appears to the user.
Also, as in April, it used APK file malware targeting Android system which were written on various topics such as messenger, system tools, storage, and games.

SectorE04 group activity has been found in Pakistan, Turkey, Israel, Ukraine, Vietnam, United States, Poland, Germany, United Kingdom, Russia, China and Korea. Attackers used the shortcut files (LNK) disguised as PDF files, RTF files containing vulnerabilities, and MS Word files containing macro scripts. It was similar to their last April hacking activites.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

A total of one hacking group, SectorF01 was discovered among SectorF groups this May.

Their hacking activities have been found in China, Singapore, Vietnam, Indonesia, the United States, India, Bangladesh, Malaysia, Myanmar, Korea, Japan, Nepal and Germany.

The attacker used the DLL Side Loading method, which loads a malicious DLL file using a legitimate MS Word program, the same as the previous hacking activity, and this method of the SectorF01 group has long been maintained. In addition, malware targeting the Android system were discovered, which using a variety of topics.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.

7. SectorH Activity Features

A total of two hacking groups, SectorH01 and SectorH03, were discovered among SectorH groups this May.

SectorH01 group activities have been found in France, the United States, Germany, Poland, Korea, Finland, the United Arab Emirates, Romania, Canada, the United Kingdom, Turkey and Italy.
Attackers used spear-phishing emails to attack oil and gas-related industries in countries located in the Middle East, North America, and Europe. In the email, the malware in the form of a password-protected MS Word file was attached, and the password can be confirmed in the body of the mail to which the word file is attached.
In addition, malicious document in the form of PowerPoint (.PPT) disguised as an analysis report were attached to spear-phishing emails. Macro scripts were embedded in the PowerPoint file, and when executed, the malware hosted in Pastebin is installed on the infected system using the Powershell.

SectorH03 group activities have been found in Pakistan, India, Russia, Ukraine and Hong Kong. The attackers used MS Excel and macro file-type malware containing macro scripts, and the bait document was using the subjects of a CERT-related content and contract document.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

8. SectorP Activity Features

A total of one hacking group, SectorP02 was discovered among SectorP groups this May.

SectorP02 group hacking activities were found in Turkey and Austria. The attacker used malware in the form of an Android application (APK) disguised as a VPN or messenger.

The hacking activities of the SectorP group are aimed at cybercrime and the support for government who backed SectorP. Diplomatic, political, and religious conflicts continue to exist in between neighboring country and the country who backed SectorP group. Their activities are expected to continue targeting advanced information on government, military, and political activities in neighboring countries.

9. Cyber Crime Activity Features

A total of two hacking groups, SectorJ04 and SectorJ09, were discovered among SectorJ groups this May.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ04 group activity was discovered in the United States. The attacker maintained the existing method of including malware in the MS Office file format in spam mail, and the malware finally installed on the infected system is similar to that found in the activities of the existing SectorJ04 group.

SectorJ09 group activities have been found in the United States and Russia. They continue to embed obfuscated skimming scripts on their websites and collect user and payment information. In this case, script was injected in favicon image.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.