Monthly Threat Actor Group Intelligence Report, November 2020
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from October 21, 2020 to November 20, 2020.
1. SectorA Activity Features
A total of two hacking groups, SectorA05 and SectorA07 were discovered among SectorA groups this November.
The activities of the SectorA05 group were found in Korea, Japan, China, Philippines, the United States, the United Kingdom and Russia.
They used malware in the form of MS Word files containing macro scripts, and the Word document was written on the topic of the US presidential election. When executing a document, it communicates with the C2 server through a PowerShell script, downloads and executes the DLL file malware.
The activities of the SectorA07 group were discovered in Korea. In this activity, several domains believed to have been used by the SectorA07 group and the email accounts used to register the domain were discovered. The discovered email accounts were related to email services in Korea and Russia, and some of the discovered domains were used to deliver Android malwares.
The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.
2. SectorB Activity Features
A total of three hacking groups, SectorB01, SectorB09 and SectorB22 groups were discovered among SectorB groups this November.
The activities of the SectorB01 group were discovered in Hong Kong. In this activity, malware variant similar to October was found, and malware have Characteristics that the function names remains unremoved.
The activities of the SectorB09 group were discovered in Taiwan, Japan and Korea. In this activity, a variant of Linux malware known to be used by attackers was discovered, and it has functions such as collecting files, connecting sockets, starting a remote shell, and connecting to a proxy.
The activities of the SectorB22 group were discovered in Japan. They disguised the executable file malware as a normal document using the MS Excel icon, and when the malwares executed, a document written on the subject of the contact list of a specific political party member in Mongolia is displayed on the screen.
The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.
3. SectorC Activity Features
A total of three hacking groups, SectorC01, SectorC03 and SectorC08 were discovered among SectorC groups this November.
The activities of the SectorC01 group were found in Russia, Kazakhstan, Uzbekistan, China, the United Arab Emirates, Hong Kong, France, Italy, Romania and Iran. They continue to use compressed files containing normal documents and, malware known to be used by the SectorC group. The discovered malware was produced in various development languages, and in this case, a normal document using a topic related to NATO was found along with the malware.
The activities of the SectorC03 group were discovered in the United States. In this activity, domains and IPs that are believed to have been used by SectorC03 to conduct phishing attacks against US government agencies and private airlines were identified. The domains found are similar to the domains of legitimated services like Microsoft.
The activities of the SectorC08 group were discovered in Ukraine. They used spear phishing emails with MS Word or Excel malware attached. When the malware is executed, a template injection hacking technique is used that downloads files with the DOT extension from the server.
The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.
4. SectorD Activity Features
A total of three hacking groups, SectorD02, SectorD05 and SectorD09 were discovered among SectorD groups this November.
The activities of the SectorD02 group were found in the United Arab Emirates, United Kingdom, Georgia, Azerbaijan, Cambodia, Israel, Afghanistan, Vietnam, Kuwait, Turkey, Iraq, Hong Kong and Germany. In this activity, MS Word malware disguised as a document related to a workshop at a specific university in the United Arab Emirates was discovered. When the document is executed, a VBS (Visual Basic Script) file is created in the Startup folder, and the VBS file collects basic environment information of the infected system and transmits it to the attacker’s server.
In this month, the SectorD05 group carried out an attack against participants of the Think 20 (T20) Summit in Saudi Arabia, and attached a PDF file containing a malicious link to a spear phishing email and delivered it to the target.
The activities of the SectorD09 group were discovered in the United Arab Emirates, France, Hong Kong and Russia. In this activity, MS Word malware containing macro scripts was found, and the body of the document was written in Persian language. When the document is executed, the DLL file encoded through the macro script is dropped, which is executed through rundll32.exe after decoding.
SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.
5. SectorE Activity Features
A total of three hacking groups, SectorE02, SectorE04 and SectorE05 were discovered among SectorE groups this November.
The activities of the SectorE02 group were found in Pakistan, Singapore, the United States, China, Germany and the United Kingdom. They distributed malicious links downloading Android malware using phishing sites, SNS, and messengers. The malwares disguised as chat application or related to Kashmir.
The activities of the SectorE04 group were found in Pakistan, Hong Kong, Hungary, Italy, Russia, China and France. They used RTF files and MS Word files that contain the same vulnerabilities that were discovered in October, and they used DLL Side Loading, which loads malicious DLLs into normal programs when executing documents.
The activities of the SectorE05 group were discovered in China, India and Romania. They used spear phishing email attached an executable compressed file disguised as a document using PDF file icon. When executing malware, modules that send information of the infected system to the attackers server, downloading additional malware or collecting information were downloaded from each different URL.
Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.
6. SectorF Activity Features
A total of one hacking groups, SectorF01 was discovered among SectorF groups this November.
The activities of the SectorF01 group were found in France, Philippines, the United States, Vietnam, Germany, Cambodia, and Canada. They used executable compressed file which is using the MS Word icon included normal executable files and malicious DLL. They uses DLL Side Loading, an existing hacking method, and displays normal documents on the screen to avoid user suspicion after performing malicious actions such as collecting infected system information. The file name of the malware is written in Cambodian.
The purpose of the hacking activities of the SectorF01 hacking group, which continues to date, is to collect high-level information related to government activities, such as political, diplomatic and military activities of countries close to Vietnam. Also, it is analyzed that hacking activities are carried out for the purpose of hijacking advanced technology information related to advanced technology for the domestic economic development.
7. SectorP Activity Features
A total of one hacking groups, SectorP02 was discovered among SectorP groups this November.
SectorP02 group used Android malware just like its previous activity. It was disguised as a legitimate application using a Google icon.
The hacking activities of the SectorP group include hacking activity for both cybercrime and government support purposes. In particular, as diplomatic, political and religious friction continues with neighboring countries, it is analyzed that activities to steal high-level information related to government, military and political activities of neighboring countries will continue to be carried out in the future, depending on the purpose of hacking activities.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.