Monthly Threat Actor Group Intelligence Report, February 2022 (ENG)

This document explains issues related to hacking group activities identified from 21 January 2022 to 20 February 2022 and includes information on related infringement incidents and threat event within ThreatRecon Platform

1. Characteristics of SectorA Group Activities

In February 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorA01, SectorA02, SectorA05 and SectorA06 groups.

SectorA01 group was found to be active in Spain, Mexico, India, Slovenia, and Russia. The group disguised themselves as companies in finance, insurance, and munitions industry to disseminate malware.

SectorA02 group was found to be active in South Korea. The group disseminated HWP malwares regarding social issues related to the national elections.

SectorA05 group was found to be active in South Korea. The group delivered spear phishing emails targeted on workers of public institutions and media.

SectorA06 group was found to be active in Ukraine, Germany, Israel, Australia, Georgia, United States of America, Italy, England, Finland, and Columbia. The group used LNK files disguised as topics such as “income statement”, “Job postings”, “Salary”.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In February 2022, activities by a total of 3 hacking groups were identified, and the groups were SectorB04, SectorB38 and SectorB43 groups.

SectorB04 group was found to be active in India and the United States. In this activity, the group used DLL side-loading strategy to load malicious DLL in normal programs.

SectorB38 group was found to be active in Vietnam. In this activity, the group utilized MS word format malwares using the template injection method, and the word file contained contents related to Vietnamese socialist communism.

SectorB43 group was found to be active in Russia, the United States and Canada. The group used PE (Portable Executable) format malwares that collects infected system information and use OpenSSL to serve encrypted communication functions.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In February 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorC04 and SectorC08 groups.

SectorC04 group was found to be active in China, the United States and Portugal. The group used the technique of loading LNK files included in ISO image files to download penetration test tools such as Sliver or Cobalt Strike, to steal system controls.

SectorC08 group was found to be active in Ukraine, the United States, Germany, Netherlands, Switzerland, Israel, Russia, Iran, England, and Algeria. The group used MS word format malwares utilizing the template injection technique, to install PE (Portable Executable) format malware in the target’s system and steal system controls.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In February 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorD02 and SectorD05 groups.

SectorD02 group was found to be active in Israel, Iran, England, Turkey, South Korea, Pakistan, Armenia, Russia, Germany, Sweden, Denmark, Saudi Arabia, France, the United States, and China. The group distributed document type malwares such as MS word and MS excel to workers of a specific government institution, and the PDF format malware contained phishing link that led the victims to click on it.

SectorD05 group was found to be active in Germany, the Netherlands, Iran, the United States, Georgia, France, Turkey, Austria, Greece, South Korea, and Israel. The group used the technique of utilizing Log4j vulnerabilities to penetrate the system and used Reverse Proxy and Reverse Shell to serve additional malicious activities such as system information collection or command controls.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In February 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorE02, SectorE03, SectorE04 and SectorE05 groups.

SectorE02 group was found to be active in Turkmenistan, and Sri Lanka. In this activity, the group used RTF format malware disguised as official documents in their attacks.

SectorE03 group was found to be active in Austria. The group targeted on Android users by using the RAT malware, which was disguised as a chat app to lead the victims to activate the application.

SectorE04 group was found to be active in Indonesia, Pakistan, and England. The group used Windows LNK and RTF (Rich Text Format) malware against workers of government institutions and munitions industry.

SectorE05 group was found to be active in Pakistan, France, and Ukraine. The group used CHM (Compiled HTML File) format files which are help files for their attacks.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorH Group Activities

In February 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorH01 and SectorH03 groups.

SectorH01 group was found to be active in France, South Korea, Germany, and Indonesia. In this activity, the group used phishing emails related to purchase orders for a specific financial group for their attacks, and distributed PowerPoint documents containing malware macros to serve malicious activities.

SectorH03 group was found to be active in Hong Kong, Italy, China, India, the United States, Afghanistan, Belgium, Pakistan. The group used Windows LNK files that executes normal document file under the title of “Content Writing” and “Army-Cyber-Gp-Alt-Feb-2022” which is related to the military, to carry out malicious activities such as keylogging, screenshot, collection of clipboard data in the victim’s system. They also distributed Android malwares disguised as apps such as WhatsApp to steal sensitive information such as call history, contacts, SMS messages, camera recording and voice recording from the victim’s devices

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

7. Characteristics of cybercrime group activities

In February 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorJ03, SectorJ09, SectorJ14, SectorJ25, SectorJ37 groups.

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ03 group was found to be active in Palestine, Israel, the United States, Saudi Arabia, and India. They used malware targeting the Android platform to steal information such as SMS information, photos, and call recordings from the victim.

SectorJ09 group continued to use their hacking method of inserting obfuscated skimming script in website to collect username, address, email, phone number and credit card payment details from the payment page. In this activity, JavaScript malware with a similar format to those that were found in the past were identified.

SectorJ14 group was found to be active in Japan. The group was active since 2018, using multiple languages and on multiplatform, and are identified to be serving hacking activities with the sole purpose of securing financial resources.

SectorJ25 group was found to be active in Vietnam, Russia, South Korea, Italy, the United States, Hong Kong, China, Ireland, and Lithuania. The group launched cryptojacking attacks targeted on Linux based systems, and the malware installed through the downloader script serve various functions such as cryptocurrency mining, scanning, and information collection.

SectorJ37 group was found to be active in Germany, the United States, Thailand, England, Singapore, France, Japan, Sweden, Lithuania, Russia, Greece, South Korea, Turkey, India, Saudi Arabia, Hong Kong, and Vietnam. The group used subjects related to aerospace and travel to serve cyber threat activities against the aerospace, transport, manufacturing, and defense industries. In this activity, they distributed phishing emails including google drive links, which installs RAT malware in the system to collect system information and attempt command and control.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.