Monthly Threat Actor Group Intelligence Report, December 2021 (ENG)

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from November 21 to December 20, 2021.

1. SectorA Activity Features

In December 2021, activities of 3 hacking groups were identified, and they are SectorA01, SectorA05, SectorA06 groups.

SectorA01 group was found to be active in England, Singapore, South Korea, and Spain. The group distributed malware disguised as hiring documents of a specific company and uses the template injection method to download templates with malicious functions from external servers.

SectorA05 group was found to be active in South Korea. In this activity, the group distributed spear phishing emails to numerous targets.

SectorA06 group was found to be active in Hong Kong and USA. In this activity, the group used LNK malwares disguised as income statements.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. SectorB Activity Features

In December 2021, activities of 5 hacking groups were identified, and they are SectorB03, SectorB09, SectorB22, SectorB35, SectorB43 groups.

SectorB03 group was found to be active in Hong Kong, Denmark, and Netherlands. In this activity, the group targeted medical, financial, electronics and IT industries by using vulnerabilities within Enterprise IT operation and service management software.

SectorB09 group was found to be active in China. In this activity, the group used malwares in MS Excel document format disguised as weekly work reports.

SectorB22 group was found to be active in Vietnam, Taiwan, Myanmar, and Russia. In this activity, the group distributed malwares disguised as library files of a certain design and video editing program in zipped format.

SectorB35 group was found to be active in USA. In this activity, the group took advantage to vulnerabilities within a specific software’s framework to execute malicious codes using the RCE (Remote Code Execution) method.

SectorB42 group was found to be active in Mongolia. In this activity, the group used RTF (Rich Text File) format malware that includes equation editor vulnerabilities, themed on featured news.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. SectorC Activity Features

In December 2021, activities of 3 hacking groups were identified, and they are SectorC04, SectorC08, SectorC13 groups.

SectorC04 group was found to be active in India, England, USA, Belgium, Canada, Sweden, Qatar, New Zealand, Singapore, and France. The group continued using LNK files included in ISO image files to load malicious DLL files to download mock hacking tools such as Sliver or Cobalt Strike, which then seize the system’s controls.

SectorC08 group was found to be active in Ukraine. The group used MS Word document format malware that uses template injection method to download PE (Portable Executable) malwares in the target’s system and seize control over the system.

SectorC13 group was found to be active in Ukraine, Hungary, and Serbia. The group used MS Word document using the template injection method, and word documents disguised as Russian government official’s work report was discovered.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. SectorE Activity Features

In December 2021, activities of 4 hacking groups were identified, and they are SectorE01, SectorE02, SectorE04 and SectorE05 groups.

SectorE01 was found to be active in England. The group used RTF (Rich Text File) format malware that includes .Net Framework vulnerabilities, disguised as an insurance forms.

SectorE02 group was found to be active in England, Pakistan, and USA. In this activity, the group used MS PowerPoint format files for their attacks. Malwares created through PowerPoints are continuously being distributed with the same Digital Signature since February 2021.

SectorE04 group was found to be active in Japan. In this activity, the group used MS Word files disguised as documents regarding spam filter settings for their attacks. The Word document uses template injection method to download templates from external servers that serve malicious functions.

SectorE05 group was found to be active in Pakistan, China, and England. The group distributed CHM (Complied HTML Help) format malwares disguised as official documents of a specific Civil Aviation Commission.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding Pakistani governmental activities such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

5. SectorH Activity Features

In December 2021, activities of 2 hacking groups were identified, and they are SectorH01 and SectorH03 groups.

SectorH01 group was found to be active in Iran, Brazil, Thailand, England, Ecuador, USA, Israel, Canada, Nigeria, Italy, Indonesia, Russia, Belarus, Lithuania, Ukraine, Hungary, Columbia, India, Uruguay, Ireland, Slovenia, Germany, Mexico, and South Korea. In this activity, the group used phishing emails with various subjects such as quotation request forms, purchase order forms, payment statements, reservation cancellation requests to distribute malware known as Agent Tesla and steal private information.

SectorH03 group was found to be active in Egypt, Sweden, Mexico, Saudi Arabia, Ukraine, USA, Netherlands, Oman, France, Brazil, Russia, Rumania, Bangladesh, India, and Pakistan. In this activity, the group used malwares disguised as military documents of Indian National Defence University, Secretariat memorandum, leave of absence regulations in order to avoid user suspicions and steal information. They also disguised as YouTube application to distribute malware targeted at Android users and steal private information from mobile devices.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

6. SectorL Activity Features

In December 2021, activities of 1 hacking group were identified, and it is SectorL01 group.

SectorL01 group distributed malware disguised as normal download programs to avoid user suspicion and carry out malicious activities.

Hacking activities of SectorL hacking groups that continue to date are seen to be aiming to collect advanced information regarding governmental activities such as political, diplomatic, military activities in nearby countries. However, considering that they have expanded their targets to other areas recently, the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology are analyzed to have been increased.

7. Cyber Crime Activity Features

In December 2021, activities of 8 hacking groups active in online cyberspaces were identified, and they are SectorJ01, SectorJ03, SectorJ04, SectorJ06, SectorJ09, SectorJ25, SectorJ26, and SectorJ28 groups.

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ01 group was found to be active in Netherlands. The group used MS Word malware disguised as protected files, and when the target double clicks a specific area of the document content, an object downloads the malware and executes it in the system.

SectorJ03 group was found to be active in Palestine, Brazil, and Israel. The group used malware targeted at Android platforms and attempted to steal information such as SMS data, photos and phone call recordings.

SectorJ04 group was found to be active in Hungary, USA, Greece, India, France, Italy, Canada, Germany, Syria, Croatia, Spain, China, Iraq, Netherlands, Singapore, Columbia, and England. The group used MS Word document format malware, and when the user clicks on content use, HTA file is dropped and executed by the VBS script, which then executes the IcedID malware in the final stage.

SectorJ06 group was found to be active in Spain, Netherlands, Switzerland, USA, India, Sweden, Italy, Germany, France, China, Ukraine, Hong Kong, South Korea, England, the Philippines, Kazakhstan, Russia, Chile, South Africa, Argentina, Hungary, New Zealand, Mexico, and Poland. The group targeted attacks on IKEA organization executives by sending out MS Excel malware through emails to distribute ransomwares.

SectorJ09 group continued to use obfuscated skimming scripts in their website to collect username, address, email address, phone number and credit card data from payment pages. In this activity, the same type of JavaScript malware as previously found has been identified.

SectorJ25 group was found to be active in USA, India, China, Korea, Russia, Vietnam, Australia, Singapore, France, Bangladesh, Czech Republic, Brazil, Spain, Turkey, Switzerland, Indonesia, Belgium, Romania, Ukraine, Netherlands, Poland, Japan, Italy, England, Finland, Greece, Hong Kong, Germany, Syria, Bosnia, Sweden, Mexico, Argentina, and Sri Lanka. The group used vulnerabilities of Linux based systems to distribute Muhstik and Mirai malwares and attempted crypto jacking attacks using the Kinsing malware.

SectorJ26 group was found to be active in Italy, Canada, India, USA, South Korea, Sweden, Indonesia, Taiwan, Germany, China, Hong Kong, Puerto Rico, Brazil, Singapore, Japan, Chile, Spain, Argentina, Vietnam, the Philippines, Malaysia, Mexico, and Ecuador. The group used MS Word format malware with macros inserted, which creates and executes hta format scripts to install backdoor malware and seize system controls.

SectorJ28 group was found to be active in India, USA, Switzerland, Italy, England, Spain, South Korea, Germany, Ireland, Austria, and Portugal. The group used vacation themed phishing mails attached with MS Excel format malware containing macros, which installs Dridex malware in the system to steal data and download ransomwares.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net