Monthly Threat Actor Group Intelligence Report, April 2022 (ENG)
This report is a summary of Threat Actor group activities analyzed by NSHC ThreatRecon team based on data and information collected from 21 March 2022 to 20 April 2022. In this April, activities by a total of 31 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 24%, followed by SectorC and SectorJ groups.
They carried out the highest number of attacks on workers or systems in government agencies and info-communication industries, and Europe was seen as the continent with the highest number of hacking activities targeted on.
1. Characteristics of SectorA Group Activities
In April 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorA01, SectorA05, SectorA06, SectorA07 groups
SectorA01 group was found to be active in Brazil, Germany, and the United States. The group disguised themselves as hiring managers of a company to send out spear phishing emails targeted on workers of finance, news, and IT industries.
SectorA05 group was found to be active in South Korea, Japan, the United States, China and Austria. The group disguised themselves as workers of media to send out spear phishing emails targeted on North Korean human right organizations and activists.
SectorA06 group was found to be active in England, China, South Korea, the United States and Japan. The group utilized CHM (Compiled HTML File), a Windows help file format in their attacks.
SectorA07 group was found to be active in South Korea, Japan, Canada, and Germany. The group disguised themselves as a specific organization to send out spear phishing emails. The body of the emails consisted of various topics such as ‘guest information’, ‘loans’, ‘reporting tax evasion’, ‘complaints’, ‘contract’, in order to pull the attention of the victims and lead them to execute the MS Word document attached to the mail.
Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.
2. Characteristics of SectorB Group Activities
In April 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorB14, SectorB22, SectorB26, SectorB33 and SectorB50 groups
SectorB14 group was found to be active in South Korea, China, and Singapore. The group utilized Windows LNK files in their attacks, which downloads a PowerShell script from the C2 server and executes them upon successful execution of the files.
SectorB22 group was found to be active in Spain, Thailand, Canada, China, Greece, Vietnam, Mongolia, Hong Kong, Myanmar, Russia, Cyprus, and South Africa. In this activity, the group targeted their attacks on government institutions and workers of research centers in Europe and Southeast Asia.
SectorB26 group was found to be active in South Korea. The group utilized multiplatform malwares to target users of Windows and Mac OS.
SectorB33 group was found to be active in India, France, Tunisia, Pakistan, Singapore, Austria, Netherlands, Canada, Finland, Hong Kong, Korea, United States, Italy, and Spain. The group utilized the Log4Shell vulnerability to launch attacks on systems of companies in the finance, academy, and travel industries.
SectorB50 group was found to be active in Ukraine, Turkey, India, Russia, the Philippines, China, and the United States. In this activity, the group used MS Word documents disguised under topics related to diplomacy and defense such as “OSCE meeting” and “Military”.
Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.
3. Characteristics of SectorC Group Activities
In April 2022, activities by a total of 6 hacking groups were identified, and the groups were SectorC02, SectorC04, SectorC05, SectorC08, SectorC13 and SectorC15 groups
SectorC02 group was found to be active in Uzbekistan, Indonesia, Mexico, India and Japan. The group used malwares disguised as Android OS process managers to steal information. The Android malware, similar to other Android malwares, contained various functions to steal information from Android based smartphones.
SectorC04 group was found to be active in India, the United Kingdom, the United States, Spain, the Philippines, Austria, Bangladesh, Switzerland, Russia, Italy, France, Greece, China, Australia, Argentina and Germany. The group used the technique of utilizing LNK files incorporated in ISO image files to load malicious DLL files which download and install pentest tools such as Sliver or Cobalt Strike, in order to steal system controls. The ISO malware used in this activity was disguised as an information update document.
SectorC05 group was found to be active in Belgium, Japan, Ukraine and the United States. The group attempted to carry out an attack on energy providing company in Ukraine. In the activity, a wiper with the function to destroy discs on various OS such as Windows, Linux, and Solaris were used.
SectorC08 group was found to be active in Hungary, Rumania, Ukraine, Russia, India, Latvia, Netherlands, Italy, New Zealand, Iran and Turkey. The group used the template injection technique through MS Word format malwares, which installs PE (Portable Executable) format malwares in the target’s system to steal system controls. In this activity, documents in Ukrainian were identified, and MS Word malwares disguised as Ukrainian government documents and Russian military documents were found.
SectorC13 group was found to be active in Moldova and the United States. The group used MS Word documents utilizing template injection, and MS Word documents disguised as the National Defense Committee and MS Excel documents disguised as Securities and Exchange Commission forms were found.
SectorC15 group was found to be active in Rumania, Ukraine, Austria, Netherlands, Russia, and Hong Kong. The group used malwares compiled in GO programming language to collect basic information from computers and serve various functions such as carrying out commands sent from the C2 server or uploading and downloading files. In this activity, they sent out phishing emails with MS Excel format malwares with malicious macros attached to workers of natural gas, bank, and media.
Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.
4. Characteristics of SectorD Group Activities
In April 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorD05 groups
SectorD05 group was found to be active in the United States. The group took advantage of Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to execute web shells that could upload and download files and use PowerShell commands.
SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.
5. Characteristics of SectorE Group Activities
In April 2022, activities by a total of 3 hacking groups were identified, and the groups were SectorE04, SectorE05, SectorE06 groups
SectorE04 group utilized MS Word documents using template injection in their attacks.
SectorE05 group was found to be active in Sri Lanka. The group used CHM file format, a Windows help file format malware in their attacks.
SectorE06 group was found to be active in the United States, Pakistan, Algeria, and Saudi Arabia. The group built a realistic phishing website targeted on Android OS with the aim of disseminating malwares and leading the victims to download and execute them.
Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.
6. Characteristics of SectorH Group Activities
In April 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorH03 groups
SectorH03 group was found to be active in India, Hong Kong, Sweden, Pakistan and Russia. The group used bait documents under the topics of “mental health survey”, “grenade simulator prototype”, “university assignment” and “photos of military” to avoid user suspicion, which install malwares in the victim’s system to steal information.
Additionally, the group used malwares disguised as Google calendars to steal sensitive information such as phone call history, contacts, SMS messages from the victim’s devices.
Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.
7. Characteristics of cybercrime group activities
In April 2022, activities by a total of 9 hacking groups were identified, and the groups were SectorJ04, SectorJ09, SectorJ14, SectorJ22, SectorJ26, SectorJ35, SectorJ45, SectorJ46, SectorJ48 groups
Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.
SectorJ04 group was found to be active in Israel, Italy, South Korea, Kazakhstan, France, India, United Kingdom, Cuba, Australia, Japan, Czech Republic, United States, Ireland, China, Saudi Arabia. The group used the technique of passing remote control malwares and ransomwares to the victims through a phishing mail, with the purpose of stealing information and money. In this activity, they delivered phishing emails disguised as payment emails with ISO format malwares attached.
SectorJ09 group was found to be active in Turkey, Moldova, Palestine, Rumania, and Denmark. They continued using their hacking technique of inserting obfuscated skimming scripts in websites to collect username, address, email, phone numbers and credit card payment details at the payment page. In this activity, JavaScript malwares with a format similar to those that have been found in the past were identified, and they carried out hacking activities on organizations by using ransomwares.
SectorJ14 group was found to be active in the United States, England, South Korea, Japan, Germany, and France. The group has been using multiple languages to be active on multiplatform since 2018, and they are seen to be carrying out hacking activities with the sole purpose of securing financial resources. In this activity, they distributed Android malwares disguised as post office applications, which steals information in Android based smartphones.
SectorJ22 group was found to be active in Russia, the United States, and Hong Kong. The group sent out delicately written phishing emails targeted on Russian organizations and downloaded and executed malicious JavaScript through backdoor. In this activity, phishing emails disguised as mails related to contracts were used.
SectorJ26 group was found to be active in Ukraine, Ireland, New Zealand, Spain, China, Israel, the United States, China, India, Malaysia, Canada, Hong Kong, England and South Korea. The group disseminated phishing emails disguised as habitat explorations with MS Word format malwares.
SectorJ35 group was found to be active in Austria and Ireland. The group did not use ransomwares, but stole system controls and attempted to leak data with the purpose of securing monetary resources. In this activity, open-source devices such as Metasploit and Impacket were used for data leakage and lateral movements.
SectorJ45 group was found to be active in Japan, the United States, Egypt, England, Singapore, Italy, China, the Philippines, Taiwan, Hong Kong and Russia. The group disguised their malwares as normal programs used by a large population such as Chrome and Telegram to disseminate them. In this activity, they disguised the malwares as WhatsApp and Adobe programs.
SectorJ46 group was found to be active in Argentina, Ukraine, Japan, Belarus, Bulgaria, Chile, the United States, Vietnam, Lithuania, Kenya, Panama, Poland, Turkey, Germany, France, Croatia, Denmark, Israel and Russia. The group sent out phishing emails with the purpose of securing financial resources and disseminated malwares through vulnerable webpages, in order to steal financial information such as cryptocurrency and credit card details. In this activity, they disguised themselves as a government agency to disseminate phishing emails with password-protected compressed files.
SectorJ48 group was found to be active in India, Russia, Australia, Canada, Ukraine, England, the United States, India, Singapore, Germany and China. The group disguised themselves as steel manufacturing company to distribute emails attached with MS Excel documents with malicious macros inserted, and activities targeting a specific government institution using the vulnerabilities of email server related software were also identified.
8. Characteristics of SectorS group activities
In April 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorS01 groups
SectorS01 group was found to be active in Sweden, Brazil, India, Italy, Taiwan, Malaysia, the United Kingdom, Belgium, Tunisia, Germany, France, Mexico, Israel, Colombia, the United States, the Netherlands, Ecuador, Costa Rica, Russia, Iran, and Poland.
The group used documents disguised as “receipts” and “notice of seizure” to install malware in victims’ systems and steal information.
Hacking activities of SectorS group activities to date is to collect advanced information on governmental activities of South American countries such as political, diplomatic, and military activities.
9. Characteristics of SectorT group activities
In April 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorT01 groups
SectorT01 group was found to be active in Ukraine and Poland. The group used malwares disguised as “profile pictures” in this activity, which installed malwares in the victims’ systems to steal information.
It is analyzed that the purpose of the SectorT hacking group’s hacking activities to date is to collect advanced information on government activities of EU countries such as political, diplomatic, and military activities.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.