Monthly Threat Actor Group Intelligence Report, June 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21, 2020 to June 20, 2020.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA03, SectorA05 and SectorA07, were discovered among SectorA groups this June.

The SectorA01 group hacking activity was found in South Korea, Germany, China, the United States, Singapore, Austria, France, Russia, Japan, and Taiwan. These group used spear-phishing email, which contained malware in the form of MS Word files. The malicious document downloads and executes a template file from the attacker’s server. This is a hacking method continuously discovered in the recent activities of the SectorA01 group. In addition, an attack was found targeting employees working at financial companies using Hangul (HWP) malware disguised as a document related to real estate investment.

The SectorA03 group hacking activity was found in India, South Korea, China, Singapore, Russia, Japan, Hong Kong, Spain and the United States. These group attached a compressed file containing a legitimated PDF file and an LNK file to a spear phishing email. Malware is dropped when the LNK file is executed, which is registered as a schedule and startup program to maintain persistence. The PDF files contained in the compressed file and the filename found in the hacking activity were related to projects, international exams, resumes and job descriptions.

The SectorA05 group hacking activity was found in France, South Korea, China, The United States, Bangladesh, Belgium, the United Kingdom, Slovakia and Turkmenistan. These group performed hacking activities using various types of malware such as MS Word file format, Hangul file format, and PE file format. MS Word file malware contains macro scripts that attempt to communicate with the attacker server. Hangul file malware contains a postscript to communicate with the attacker server by calling the encoded shellcode. The decoy document found in the hacking activity was written on a topic related to drones. Malware disguised as a famous security program has also been discovered in their activities.

The SectorA07 group hacking activity was found in South Korea, Russia, China and Hong Kong. These group used malware in the form of MS Word files containing macro scripts and Hangul files including post scripts. MS Word file is disguised as documents written by a specific organization dealing with international issues related to nuclear issues. When decoy document executed, it communicates with the attacker’s server to additionally download a CAB format file. The Hangul file malware used a file name related to academic competitions and selection evaluation inquiries and downloads CAB files that include Visual Basic scripts and batch files during execution.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal foreign currency from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of six hacking groups SectorB04, SectorB05, SectorB07, SectorB14, SectorB22 and SectorB25 group were discovered among SectorB groups this June.

SectorB04 group activities was found in Japan and United Arab Emirates. The group attached a malware in MS Word file format, which was written on a topic about the Japanese Foreign Ministry to the spear phishing e-mail.

SectorB05 group activities was found in Chile. A total of three types of malware found in the activity connect to the same attacker server to upload and download files and execute shell commands. This is a function that was also found in the past malware of the SectorB05 group, it has considered malware variant was found in this hacking activity.

SectorB07 group activities was found in Malaysia, Egypt and the United States. They attached MS Word malware disguised as content related to the political situation in Malaysia to spear phishing emails.

SectorB14 group activities was found in Australia and Germany. In this case they was targeting government ministries or businesses in Australia. They used a variety initial infection methods. And, they identify the internal infrastructure used by the target ministries or company, they exploited the vunlerability already disclosed. If the attack target’s infrastructure information was not obtained, a spear phishing email containing a malicious link or document was used.

SectorB22 group activities was found in Vietnam, China, Japan, Hong Kong, Taiwan, Pakistan, the United States, Italy, Austria and Canada. Three types of attacks have been found in this activity. In the first type, the attacker attached malware in MS Word file format disguised as a resume to the spear phishing email. In the second type, the DLL side loading method was used. It contains the legitimate Winword.exe and malicious DLL files inside the compressed file, and the malicious DLL file is loaded when the victim execute the EXE file. Finally, a normal document is executed to avoid user suspicion, which is written in relation to the Hong Kong Security Law. In the third type, decoy documents were found targeting Vietnam, which contained malicious objects inside, the same as those found in other groups of SectorB.

SectorB25 group activities was found in Russia and India. The group attached Rich Text Format(RTF) malware disguised as application form to a spear phishing email. When the attachment is executed, it attempts to communicate with the attacker server disguised as a domain related to MS Office through the CVE-2017-11882 vulnerability and downloads additional malware.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC05 and SectorC08, were discovered among SectorC groups this June.

SectorC01 group activity was found in Armenia, China and Pakistan. In this activity, a variant of the downloader written in Delphi language used by the SectorC01 group was found.

SectorC05 group activity was found in the United Kingdom. The group exploited vulnerabilities in certain Mail-Transfer Agent(MTA) software, and in this activity the shell scripts executed by attackers on infected systems was found.

SectorC08 group activity was found in Ukraine, Netherlands, Germany, Russia and the United States. They used a malicious document in the MS Word file format and the same CVE-2017-0199 and CVE-2017-11882 vulnerability was used as found the previous hacking activities of the SectorC08 group. When executing the document, it downloads the MS Word Template file hosted from the attacker server, and executes the macro script embedded in the downloaded file to drop and execute malware. In addition, malwares in the shortcut (LNK) file format were found, which used the names of files related to international terrorist measures.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the country supporting SectorC.

4. SectorD Activity Features

A total of one hacking group, SectorD02 was discovered among SectorD groups this June.

SectorD02 group activities was found in France, Canada, Afghanistan, The United States, Bulgaria, Turkey and Iraq. The group used malware written on the topic that included the Corona virus(COVID-19), cyberattacks, research seminar attendance notices, and UN relief agencies for Palestinian refugees, and the malware was disguised as normal documents using PDF file icons.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of three hacking groups, SectorE01, SectorE02 and SectorE04, were discovered among SectorE groups this June.

SectorE01 group activity was found in Netherlands, France, The United States and Russia. They used malware in the MS Word file format including EPS (Encapsulated PostScript), and when the document is executed, it creates a backdoor using the CVE-2017-0261 vulnerability. Backdoors perform various functions such as collecting keystrokes, system information, screen capture, and so on. The Word Document file contains articles on the National Cyber Accident Response Plan (NCIRP) in China and Pakistan.

SectorE02 group activity was found in Bangladesh, Sri Lanka, Japan, Russia and Germany. They used Microsoft Office files containing vulnerabilities or macro scripts, or malware in RTF file format. Decoy documents used file names which is related to “incident report”, and when it executed, malware in the form of DLL files are additionally downloaded from the attacker’s server.

SectorE04 group activity was found inIndia, Czech Republic, Pakistan, South Korea, Israel, Ukraine, the United States and United Kingdom. They used shortcut files disguised as PDF files and RTF files containing vulnerabilities. This is a similar attack method that was discovered in May 2020. The LNK file downloads HTA files from the attacker’s server and DLL file that run as a Remote Access Trojan was loaded through legitimated file for collects user, device, and network information. Finally, to avoid suspicion from users, PDF files related to the Asian Football Federation (AFC) are displayed on the screen.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorH Activity Features

A total of one hacking groups, SectorH01 was discovered among SectorH groups this June.

SectorH01 group activities was found in Taiwan, Serbia, Germany, Hungary, Argentina, France, Czech Republic, Singapore, Russia, New Zealand, Austria, India, United Kingdom, Brazil, the Netherlands, China, South Korea, Slovenia, the United States and Italy.

They using spear phishing emails that attached the PowerPoint files malware containing macro scripts. The discovered spear phishing emails disguised as instructions for Corona virus sent by Taiwan’s Ministry of Health, and the emails included photos and business cards of people considered real doctors.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

7. Cyber Crime Activity Features

A total of five hacking groups, SectorJ01, SectorJ03, SectorJ04, SectorJ14 and SectorJ19 were discovered among SectorJ groups this June.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ01 group activity was found in United Arab Emirates, Italy, Germany, Poland, Turkey, the United States, Romania, China, Bulgaria, Greece, Russia and Japan. The group included malicious documents in the form of MS Excel files in the spear phishing mail, It has the file name “Request a quote”, it written in Italian or English.
Inside the Excel file, which seems to be empty, there is a hidden sheet and that sheet contains a macro script that assembles and executes command values distributed in multiple cells.In their hacking activities, ransomware attacks against Japanese-based automakers were discovered, and attacks against energy companies in Argentina were also discovered.

SectorJ03 group activity was found in Jordan and Italy. The group uses malware in MS Word file format that contains macro scripts to generate Visual Basic Scripts on the infected system. Downloads and executes MSI files through hardcoded URLs within the script generated, which finally installs backdoors for collecting information within the infected system.

SectorJ04 group activity was found in Hong Kong, Canada, New Zealand, Ukraine, Russia, Romania, Poland, Singapore, Switzerland, India, Italy, Hungary, Norway, Austria, Germany, Turkey, Slovenia, Brazil, United Kingdom, the Philippines, Greece, the Netherlands, the United States, Israel, Belgium, Ireland, Japan, France, Czech Republic, India, Italy and Canada. The group maintained the existing method of including malware in the MS Office file format in spam mail, and the malware finally installed on the infected system is similar to that found in the activities of the existing SectorJ04 group.

SectorJ14 group activity was found in Japan, China and The United States. In this hacking activity, the group distributed APK file malware written under various themes, and malware disguised as applications of logistics service companies located in Asian countries such as Japan were found in March 2020.

SectorJ19 group activity was found in India, the United States, Japan, Switzerland, Hong Kong, Russia and Estonia. The group used a shortcut file disguised as PDF, it uses “mshta.exe” to download the Visual Basic Script from the attacker’s web server. The script checks if Antivirus software is installed and uses Windows Management Instrumentation(WMI) to collect information about the environment within the infected system and send it to the attacker’s server.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.