Monthly Threat Actor Group Intelligence Report, December 2022 (ENG)

This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 November 2022 to 20 December 2022. In December, activities by a total of 24 Threat Actor Groups were identified, in which activities by SectorA and SectorJ groups were the most prominent by 26% each, followed by SectorC and SectorE groups.

Threat Actors identified in November carried out the highest number of attacks on workers and systems in government agencies and info-communication sectors. Regionally, East Asia and Europe were seen as the continents with the highest number of hacking activities targeted on.

1. Characteristics of SectorA Group Activities

In December 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorA02, SectorA05, SectorA06, SectorA07 groups

SectorA02 group was found to be active in South Korea and Switzerland. The group targeted on workers of news media and NGO (Non-Governmental Organization) to distributed MS Word malwares utilizing the template injection technique. When the malware is executed, it downloads an RTF (Rich Text Format) file for activation, which carries out the function of downloading additional macro-containing OLE (Object Linking and Embedding) objects from the C2 server.

SectorA05 group was found to be active in South Korea and France. The group targeted on workers of media communication and universities to carry out phishing attacks, and they were seen to have led the targets to access a phishing webpage in order to steal their account credentials.

SectorA06 group was found to be active in Poland, the United States and Switzerland. The group used CHM (Compiled HTML Help) files disguised as hiring posts and projects related to a cryptocurrency trade post in their attacks. The CHM malware used in the attack utilized the msiexec (Windows Installer Utility) to download MSI (Microsoft Installer) file from the C2 server and executed it. Afterwards, information of the infected system was collected and system controls were taken over.

SectorA07 group was found to be active in South Korea. The group disseminated MS Word malwares utilizing the template injection technique. When the malware is executed, it downloads a CAB (Windows Cabinet File) from the C2 server for execution.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In December 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorB03 and SectorB22 groups

SectorB03 group was found to be active in Hong Kong. The group exploited the digital signature of a software development company to disguise malwares as regular files, and the malwares carried out the function of collecting system and file information upon execution.

SectorB22 group was found to be active in Vietnam and Latvia. The group disseminated a RAR compressed file containing a malware, which was disguised under titles related to Hungary. The malware consistently monitors the infected system for collecting information.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In December 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorC08, SectorC13, SectorC14, SectorC17 groups

SectorC08 group was found to be active in the United States, Ukraine, Lithuania, Belarus, Romania, France, Georgia, Mexico, Russia, and South Korea. The group used malware disguised as administrative documents of government entities, and attempted to steal information through a remote access tool, UltraVNC.

SectorC13 group was found to be active in Poland. The group used MS Word documents disguised as border crossing inquiry forms in their attacks. When the target executes the document, a malicious URL within the file is accessed for downloading and executing DLL files.

SectorC14 group was found to be active in the United States. The group used phishing websites disguised a national research center in America to attempt credential theft of email accounts.

SectorC17 group was found to be active in Ukraine. The group attempted to disseminate modified Windows installation programs through Torrent.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In December 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorD02, SectorD30 groups

SectorD02 group was found to be active in Oman, Poland, Azerbaijan, Arab Emirates, England, Armenia, Israel, Malaysia, Turkey, Tajikistan, Jordan, Iraq, and Egypt. The group used phishing emails containing malwares or malicious links, and attempted information theft by installing a remote access tool in the target’s system.

SectorD30 group stole email credentials to steal emails and information on cloud storages, and used phishing websites disguised as login webpages to steal saved contacts.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In December 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorE02, SectorE04, SectorE05, SectorE06 groups

SectorE02 group was found to be active in Pakistan, India, and Singapore. The group disseminated MS Excel malwares disguised as a spreadsheet for component request forms. When the target executes the file, a malicious macro downloads additional files from the C2 server and executes them.

SectorE04 group was found to be active in Hong Kong, Pakistan, Croatia, and England. The group disseminated MS Word format malwares which were disguised under titles that would interest the targets such as reports provided ton PNWC (Pakistan Navy War College) and Pakistan. When executed, the malware utilizing the template injection technique downloads an additional OLE (Object Linking and Embedding) object containing macros for execution.

SectorE05 group was found to be active in Japan. The group disseminated HTML (Hypertext Markup Language) format malwares which registered itself in the scheduler to maintain persistency in the infected system when executed successfully. Afterwards, it carries out the function of collecting system information and sending them to the C2 server.

SectorE06 group was found to be active in India, Romania, and Germany. The group targeted on users of Android devices to carry out their attacks. The Android malware disguised as apps like Secure VPN and chat applications contained the function of collecting phone call history, contacts, and text messages of the users who downloaded the app.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorH Group Activities

In December 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorH01 and SectorH03 groups

SectorH01 group was found to be active in Sweden and the United States. The group used malicious JavaScript files disseminated in this activity to install FSociety, a pentesting framework tool to steal system information.

SectorH03 group was found to be active in Australia, Spain, Pakistan, India, Netherlands, the United States, Algeria, England, Bangladesh, Libya, Saudi Arabia, Turkey, Italy, Czech Republic, Belarus, Ukraine, Hong Kong, Yemen, Kazakhstan, Poland, Russia and Indonesia. The group targeted on government, institutions and the armed forces to disseminate remote access tools over Android and Windows platforms, to carry out information theft activities.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

7. Characteristics of cybercrime group activities

In December 2022, activities by a total of 6 hacking groups were identified, and the groups were SectorJ03, SectorJ05, SectorJ06, SectorJ09, SectorJ56, SectorJ84 groups

Unlike other government-supported hacking groups, they steal online information that have monetary value in real life, hack specific companies and organizations to disseminate ransomwares in the intranet, or steal important industrial confidential information and demand for ransom in return.

SectorJ03 group was found to be active in India, Ecuador, and Germany. The group used Android malware disguised as Android applications for streaming World Cup commentaries, and the malware carried out various malicious functions to steal smartphone information.

SectorJ05 group was found to be active in the United States, Mexico, Pakistan and Brazil. The group used downloader malwares that collected system information of the targets and carried out downloading and execution of additional malwares depending on the command given. In the final stage, the group used the Clop Ransomware to encrypt the system for financial purposes.

SectorJ06 group was found to be active in India, Columbia, China, the United States, Brazil, Germany, Russia, Italy, France, Latvia, Japan, Chile, Bolivia, Romania, Iran, Moldova, Hong Kong, Belarus, Belgium, England, Turkey, Pakistan, Vietnam, New Zealand, Poland, Ukraine, and the Philippines. The group targeted on energy industries to use BlackCat Ransomware for encrypting and stealing data.

SectorJ09 group inserted an obfuscated skimming script in websites to collect information such as username, address, email, phone number and credit card payment details from payment pages.

SectorJ56 group was found to be active in Italy, the United States, France, Canada, England, Germany, India, China, and Spain. The group used malwares disguised as PDF documents of tax invoices, and in the final stage, used backdoor malwares to steal system authorizations.

SectorJ84 group was found to be active in Russia, Hungary, Brazil, Denmark, the United States, Singapore, England, China, Spain, Mexico, Pakistan, Netherlands, the Philippines, Poland, France, Turkey, Italy, Ukraine, Lithuania, Malaysia, Greece, Azerbaijan, Slovenia, Switzerland, Sweden, and Saudi Arabia. The group used YouTube videos and phishing websites to disseminate malwares disguised as cracked versions of paid programs. In the final stage, the malware attempted to steal various information such as credentials of various browsers and cryptocurrency wallet related data from the target.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.