Monthly Threat Actor Group Intelligence Report, July 2020

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from June 21, 2020 to July 20, 2020.

1. SectorA Activity Features

A total of two hacking groups, SectorA01 and SectorA05, were discovered among SectorA groups this July.

SectorA01 group hacking activity was found in Singapore, Japan, Austria, France, Russia, Germany, Israel, India, South Korea, Romania, Italy, United States, United Kingdom, Iran and Hong Kong. The SectorA01 group used malware in MS Word file format, which was written under the theme of contract documents and job announcements of certain defense companies and airlines. The Excel files disguised as COVID-19 prediction sites were additional found in this hacking activity. In addition, the attacker stole the reality person’s business card and wrote a spear phishing email, targets to South Korea’s medical sector. Furthermore, malware in the form of Hangul files (HWP) disguised as official documents included malicious Encapsulated PostScript was found, and among them, Some of these was posted on websites related to academic conferences and distributed. Also, malwares disguised as normal programs such as virtual currency wallet programs and web browser update files were found.

SectorA05 group hacking activity was found in South Korea, Hong Kong, Ukraine, China and Japan. They used malware in MS Word file format and Hangul file format. When executed Hangul file, malicious OLE objects included in the file are created the executable file, and then malicious actions are carried out using PowerShell scripts. It used theme a notice on a specific virtual currency exchange in South Korea, which is considered to targeted for users of virtual currency transactions. When MS word file type malware was executed, it downloading and executing PowerShell scripts from the attacker’s server through embedded macro scripts. In this case, the decoy document file was mainly related to the international situation in South Korea.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of three hacking groups SectorB11, Sector22 and SectorB24 group were discovered among SectorB groups this July.

SectorB11 group hacking activity was found in France, Italy and India. The SectorB11 group used malware in the form of MS Excel and Word files which are containing macro scripts, and the document was written in relation to COVID-19 such as “Air passenger COVID-19 test results”.

SectorB22 group hacking activity was found in Hong Kong, United States, Italy, Vietnam, Myanmar, France, South Korea, India, Philippines, United Kingdom, China, Germany, United Arab Emirates and Russia. DLL Side Loading was used in this hacking activity, the compressed files included legitimate programs and malicious DLLs. Finally, to avoid suspicion from users, show documents written in Vatican-related content.

SectorB24 group hacking activity was found in India, Pakistan and Taiwan. In this activity, a Self-extracting file (SFX) file containing the PlugX malware was found, which is disguised as a security program. The malware using DLL side loading method, it perform information collection activities within the infected system, such as collecting network settings, collecting files, checking network drives, and collecting keystrokes.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC04 and SectorC08, were discovered among SectorC groups this July.

SectorC01 group hacking activity was found in United States, Armenia, and Pakistan. The SectorC01 used RAR files written under various filenames, including the file name related to announcements from Poland’s Military Preventive Medical Center. Inside the compressed file were downloader malware used by the SectorC01 group and document files to avoid user suspicion.

SectorC04 group hacking activity was found in United States, Japan, India, Hong Kong, Argentina, Jordan, and China. In this activity, they used previously known malware to attack various organizations around the world, and the COVID-19 vaccine-related research and development groups were also among the targets. They used known vulnerabilities in various devices, including VPN to access infection systems. They also using spear phishing emails for collecting credentials.

SectorC08 group hacking activity was found in United States, Ukraine, Russia, France, and India. They used MS Word type malware which contains vulnerabilities, or shortcut file type malware, just like the previous hacking activity. MS Word type malware was download MS Word Template files hosted remotely on execution, and then run a macro script embedded in the downloaded file to generate and execute malware.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.

4. SectorD Activity Features

A total of one hacking group, SectorD02 was discovered among SectorD groups this July.

The SectorD02 group used PDF file icons to utilize malware in the format of executable files disguised as normal documents, and the decoy document files contain content related to sanctions against Iran. When executing malware, it creates legitimated PDF file and malicious executable file and try to communicates with the attacker server.

SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of four hacking groups, SectorE01, SectorE02, SectorE04 and SectorE05, were discovered among SectorE groups this July. SectorE01 group hacking activity was found in France, Germany, Romania, India, Hong Kong, Netherlands, China and United States. They used MS word file type malware containing macro scripts, generating backdoors in the infected system. Backdoor was collects keystrokes, system informations, screen capture, etc and decoy document files was used contents about COVID-19 guidance. In this activity, Android malware in the form of an APK file disguised as a translator app was found. SectorE02 group hacking activity was found in Nepal, Russia, Afghanistan, United Arab Emirates, Japan, Italy, China, Bangladesh, Belgium, Sri Lanka, Turkmenistan, Germany, United States and Pakistan. They used the MS Office and RTF file which are including vulnerabilities. Malicious documents download additional malware in DLL file format from the attacker’s server. SectorE04 group hacking activity was found in Pakistan, Hong Kong, Czechia, Ukraine, China, Singapore, United Kingdom, South Korea and India. They used a shortcut file (LNK) disguised as a PDF file and an RTF file containing the vulnerability. The LNK file downloads the HTA file from the attacker’s server and loads DLL file through the legitimated file to collect user, device and network information. In the RTF file cases it containing vulnerabilities, when it was executed malicious dll file was loaded to legitimated executable files. SectorE05 group hacking activity was found in Brazil, Japan, France, Pakistan, India, Germany, Ukraine, United States, United Kingdom and Taiwan. They used RTF or MS Word file containing the vulnerability, which are downloads Windows Installer (MSI) file and installs malware. Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

A total of one hacking groups, SectorF01 was discovered among SectorF groups this July. SectorF01 group hacking activity was found in Vietnam, Germany, Philippines, Russia, United States and Bulgaria. They used RARSfx files with filenames associated with the ASEAN meeting. When malware is executed, legitimated executable loads malicious DLLs, decodes encoded Shellcode files and loads them into memory. The SectorF01 group aims to gather high-level information including political, diplomatic, and military activities in countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.

7. SectorH Activity Features

A total of two hacking groups, SectorH01 and SectorH03, were discovered among SectorH groups this July.

SectorH01 group hacking activity was found in Ukraine, Switzerland, Vietnam and Belgium. They used spear phishing emails and used malicious RTF documents containing vulnerabilities as attachments. The email is written in relation to international courier delivery and is disguised as sent by a specific manufacturer.

SectorH03 group hacking activity was found in India and United Kingdom. They used MS Word files with macro scripts and when it executed, generate and execute Remote Administration Tool(RAT) malware.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with India continues increase, activities to gather high-level military and political information from them will also continue.

8. Cyber Crime Activity Features

A total of seven hacking groups, SectorJ01, SectorJ03, SectorJ04, SectorJ09, SectorJ14, SectorJ19 and SectorJ20, were discovered among SectorJ groups this July.

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.

SectorJ01 group distributed malware through a malicious Shim database. It was installed on the POS system and collected Track1 and Track2 credit card data stored in memory.

SectorJ03 group hacking activity was found in Palestine. They used malware in the executable file format that used the MS Word icon. The filename is written about Hamas, an Islamic resistance movement group, when executes it creates additional malware and collects infection system information.

SectorJ04 group hacking activity was found in China, Poland, United States, United Kingdom, France, Malaysia, Finland, Germany, Chile, Spain, Portugal, Argentina, United Arab Emirates, Serbia, Sweden, Sri Lanka, Lithuania, Italy, Belarus, Pakistan, Seychelles, Switzerland, Taiwan, India, Ukraine, Austria, Romania, Canada, Belgium, Singapore and New Zealand.

They maintained an initial infection method that attached MS Office file type malwares in spam mail. The malware, which is finally installed in the infected system, is a downloader-type malware developed by SectorJ04 Group that distributes additional malwares such as Remote Administration Tool(RAT), Ransomware, and Online Banking Trojan within the system.

SectorJ09 group hacking activity was found in United States, Pakistan, South Africa, Czechia, Ukraine, Indonesia and India. They inserts obfuscated Skimming scripts into the Web site to collect usernames, addresses, e-mails, phone numbers and credit card payment information from the payment page.

SectorJ14 group hacking activity was found in Japan, Netherlands, Switzerland and United States. They produced and distributed APK malwares written under various themes, and a number of malwares disguised as the delivery company’s app were found.

SectorJ19 group hacking activity was found in Italy, Liechtenstein, Canada, Albania and United States. They used a MS Word file with a password set to induce users to click the shortcut file with password related filename. When clicked LNK files, it shows the legitimated document file of related contents of internatinal trade and downloads additional malware from the attacker’s server.

SectorJ20 group hacking activity was found in United States, Bulgaria, Singapore, Albania, Australia, United Arab Emirates, Russia, Latvia, Netherlands, Israel, Cyprus, United Kingdom, Slovakia and Italy. They used spear phishing email included a link to a compressed file (ZIP) hosted on a specific cloud service. The compressed file contains a number of shortcut files disguised as ID cards and credit card images. When executed shortcut files generate JavaScript components contained inside, communicate with the attacker server, and install additional malware.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.