Monthly Threat Actor Group Intelligence Report, December 2020
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from November 21, 2020 to December 20, 2020.
1. SectorA Activity Features
A total of five hacking groups SectorA01, SectorA02, SectorA04, SectorA05 and SectorA07 were found in this December.
The activities of the SectorA01 group have been found in South Korea, Russia, Pakistan, Hong Kong, Lithuania, India, the Netherlands, Japan, the United States, Germany, and France. They used malware in the shortcut file format (LNK), and documents written in Japanese, used to avoid user suspicion, were written on topics related to cryptocurrency. In addition, a malware disguised as a cryptocurrency market program was distributed through an Internet community site in South Korea.
The activities of the SectorA02 group were discovered in South Korea and Switzerland. They used the Hangul file malware including the malicious OLE for the attack, and when executed, the data contained in the Hangul file is decrypted and the malware is dropped in the target system.
The activities of the SectorA04 group were discovered in South Korea. They were distributed spear phishing emails containing malicious links to certain government agencies and researchers related to North Korea. The contents of the spear phishing email were the account check notification email of Portal site in South Korea, and the monthly North Korean trend report.
The activities of the SectorA05 group were found in South Korea, the United States, Hong Kong, Canada, and Russia. They used Hangul file containing a postscript or malicious OLE object that in the same way as those used in the past, and it was written about support policy for small businesses due to the COVID-19, or the efficacy of a COVID-19 vaccine. In addition, MS Word malware containing macro scripts written on the subject of US-North Korea relationship was also found. When executed, it communicates with the attacker’s server through a PowerShell script.
The activities of the SectorA07 group have been discovered in South Korea and Thailand. The group used MS Word malware including macro scripts and was written on the topic of the The group used MS Word malware including macro scripts and was written on the topic of the COVID-19 trend in North Korea. In addition, malware targeting the Android environment was also discovered, and the malware was disguised as a messenger, portal, and bitcoin transaction application mainly used in South Korea.
The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.
2. SectorB Activity Features
A total of four hacking groups SectorB03, SectorB06, SectorB08 and SectorB22 were found in this December.
The activities of the SectorB03 group have been found in Mongolia, Hong Kong, Japan, China, Switzerland, the United States, Russia and the Czech Republic. They attached an executable compressed file containing malware to a spear phishing email, and email body was was related to the firmware update.
The activities of the SectorB06 group have been discovered in Mongolia and Russia. They used an RTF file containing the vulnerability, and documents written in Mongolian were disguised written by the Mongolian authorities on the subject of a Armenia-Azerbaijan relationship.
The activities of the SectorB08 group have been found in Mongolia and Canada. They used RTF file malware that contained vulnerabilities, and the document written in Mongolian was written on the subject of Japanese media report contents.
The activities of the SectorB22 group have been found in Taiwan, Ukraine and Myanmar. They used executable compressed file malwares, and when executed, legitimate programs and malicious DLL files are created. The DLL loaded using the DLL Side Loading method loads and executes the encoded malware.
The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.
3. SectorC Activity Features
A total of three hacking groups SectorC01, SectorC08 and SectorC12 were found in this December.
The activities of the SectorC01 group have been found in China, Russia, Germany, Azerbaijan, Kazakhstan, Malaysia and the United States. They used virtual disk file (Virtual Hard Disk, VHD) as in November, which includes malwares using MS Word icons and non-malicious PDF documents. The PDF, written in English, relates to a pharmaceutical company developing a vaccine for COVID-19 in China.
The activities of the SectorC08 group were discovered in Ukraine. They used MS Word malwares that contain vulnerabilities. It also utilizes the same network resources as other hacking activities of SectorC08 recently discovered, and this hacking method has been steadily maintained over the past few months.
The activities of the SectorC12 group have been found in India, Finland, the Czech Republic, Canada, the United States, Australia, the United Kingdom, the Netherlands and Germany. They have conducted supply chain attacks targeting to government agencies, IT, consulting, telecommunications and think tank industries in several countries. The target program is a specific software management program that is widely used by various organizations and businesses, and has performed malicious actions by altering the DLL files used by this program.
The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located around the country supporting SectorC.
4. SectorD Activity Features
A total of five hacking groups SectorD01, SectorD09, SectorD10, SectorD11 and SectorD16 were found in this December.
The activities of the SectorD01 group were discovered in Russia. They used spear phishing emails targeting Russian energy companies, and the login page disguised to collect user credentials was disguised as related to automobile manufacturers, parts suppliers and the IoT(Internet of Things).
The activities of the SectorD09 group were found in China and the Netherlands. They used MS Word malware written in Arabic that containing macro script. When it executed, executable compressed file is dropped and executed through the macro script. The documents found were written about ‘the activities of the Israeli army’.
The activities of the SectorD10 group have been discovered in the United Kingdom, Austria and the United States. They used phishing sites disguised as university libraries and portal pages to collect user information.
The activities of the SectorD11 group have been found in Russia, England, France, Yemen, India, Jordan, Turkey, Kazakhstan, Iraq, Egypt, the United States, Morocco, Tunisia, Israel, Pakistan, UAE, Brazil, Italy, Ukraine and Sri Lanka. They used Android malware that used various topics such as messenger, news media, or disguised as an application used by a specific ethnic group or industry.
The activities of the SectorD16 group have been found in Israel, Switzerland, the United States, the United Kingdom, China, the Netherlands, and Italy. The group carried out supply chain attacks against Israel and spread ransomware. They previously used specific email server vulnerabilities, RDP(Remote Desktop Protocol) vulnerabilities, and VPN (Virtual Private Network) vulnerabilities to access the internal network.
SectorD groups conducted hacking activities targeting countries that are related to the political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.
5. SectorE Activity Features
A total of two hacking groups SectorE02 and SectorE04 were found in this December.
The activities of the SectorE02 group have been discovered in the United Arab Emirates and Russia. Similar to last November, They used Android malware disguised as a chat application, and also MS file malware was found.
The activities of the SectorE04 group have been discovered in Canada. They used RTF files, MS Word files, and shortcut files containing the vulnerability for months. In most cases, it is used to generate JavaScript to download or create a malicious DLL file to be loaded through normal files and DLL Side Loading in the attacker server.
Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic, and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.
6. SectorF Activity Features
A total of one hacking group SectorF01 was found in this December.
The activities of the SectorF01 group are found in the United States, Vietnam, China, United Kingdom, Russia, Japan and Taiwan. They used MS Word documents, it downloads template files from attackers server. Finally, normal MS Word program and malicious DLL files are created in the infected system and executed through DLL side loading.
The purpose of the hacking activities of the SectorF01 hacking group, which continues to date, is to collect high-level information related to government activities, such as political, diplomatic, and military activities of countries close to Vietnam. Also, it is analyzed that hacking activities are carried out for the purpose of hijacking advanced technology information related to advanced technology for the domestic economic development.
7. SectorG Activity Features
A hacking group SectorG01 was found in this December.
The activities of the SectorG01 group have been found in Cyprus, India, the United States, Switzerland, Israel, Myanmar, Sweden, Portugal, Singapore, Canada, Venezuela, the Netherlands, Germany, Brazil, Colombia, Spain and Austria. They targeting various fields such as education, energy, finance, healthcare, and IT, and government departments. They used MS Office file type malware that download template files containing macro scripts from attackers server.
SectorG hacking groups primarily target countries that are politically rivals with the government of Lebanon. Their recent purpose is to collect high-quality information about the politics, diplomacy, and government activities of people or countries who are opposed to the government of Lebanon.
8. SectorH Activity Features
A hacking group SectorH03 was found in this December.
The activities of the SectorH03 group have been found in the United States, India, the Netherlands, Pakistan, Turkey, Ukraine, Iraq, Syria and France. They used MS Excel documents with contents related to the ‘list of people who received commendations from the military units’. The Documents that macro script embedded creates malware on the infected system and collects information.
The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with India continues increase, activities to gather high-level military and political information from them will also continue.
9. SectorL Activity Features
A hacking group SectorL01 was found in this December.
The SectorL01 group uses malware disguised as legitimate software, and uses Watering Hole Attacks or Spear Phishing Emails for initial access. When executed, the malware drops a component to collect the infected system information, and received command using attackers server address which is hard-coded in malware.
The purpose of the SectorL hacking group, which continues to this day, is to collect high-level information about political, diplomatic, and military, government activities of regionally adjacent countries to Turkey. In recent years, as their field of activity appears to be expanding, it appears that the proportion of activities aimed at acquiring advanced information related to politics, diplomacy and technology has increased.
10. SectorP Activity Features
A hacking group SectorP02 was found in this December.
The activities of the SectorP02 group have been found in Italy and Turkey. Same as last activity, They used malware in the Android file format to collect information such as user location and voice recording. Some of the network resources found in this activity have been used steadily in SectorP02 group activities since last April.
The hacking activities of the SectorP group include hacking activity for both cybercrime and government support purposes. As diplomatic, political, and religious friction continues with neighboring countries, it is analyzed that activities to steal high-level information related to government, military and political activities of neighboring countries will continue to be carried out in the future, depending on their purpose.
11. CYBER CRIME ACTIVITY FEATURES
A total of three hacking groups, SectorJ03, SectorJ04 and SectorJ06 were discovered among SectorJ groups this December.
The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.
The activities of the SectorJ03 group have been found in Palestine, England, France, China, United Arab Emirates, Jordan and Italy. The group uses malicious PDF files containing links to download compressed files containing malware from web services such as Google Drive and Dropbox. The malware was disguised as a normal document using the icon of the MS Office document, communicates with the attacker server, and collects infected system information.
The activities of the SectorJ04 group were found in India, Taiwan, the Netherlands, the UK, Sri Lanka, France, South Korea, Italy, Ukraine and Germany. The group maintained the initial access method that attach MS Office file type malware in spam emails. In this activity, a specific ransomware distributed by an attacker was identified, and it is digital signatured using a certificate generated by a e-commerce company.
The activities of the SectorJ06 group have been found in France, Australia, Italy, the United States and Germany. In this case, a number of domains identified to use to distribute ransomware was found. Some of malwares were signed using legitimated certificates.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.