Monthly Threat Actor Group Intelligence Report, May 2023 (ENG)
This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 April 2023 to 20 May 2023. In May, activities by a total of 34 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 23%, followed by SectorC groups.
Threat Actors identified in May carried out the highest number of attacks on workers and systems in government agencies and commercial sectors. Regionally, Europe and North America were seen as the continents with the highest number of hacking activities targeted on.
1. Characteristics of SectorA Group Activities
In May 2023, activities by a total of 5 hacking groups were identified, and the groups were SectorA01, SectorA02, SectorA04, SectorA05 and SectorA06 groups.
SectorA01 group was found to be active in the United States. The group targeted on Windows IIS web servers of vulnerable versions to distribute malware with downloader functions, which could download and execute additional malware.
SectorA02 group was found to be active in South Korea, Australia, Hong Kong, the United States, and India. The group used compressed files containing malware in the form of Windows shortcut (LNK) files. These compressed files were disguised with various topics, including seminars by the Korean Public Administration Society and the North Korean economic crisis, to deceive the targets into executing the malicious code.
SectorA04 group was found to be active in the United States, Germany, and the United Kingdom. The group used malware disguised as Microsoft Defender to carry out their activities.
SectorA05 group was found to be active in South Korea, the United States, Japan, and Italy. The group utilized malware disguised as purchase payment invoices in the form of CHM (Compiled HTML Help) files. This malware had the function of downloading and executing HTA(HTML Application) malware through an internal script.
SectorA06 group was found to be active in Canada. Argentina, Italy, Turkey, United Arab Emirates, Germany, Spain, the United Kingdom, the United States, Japan, and Russia. The group impersonated a Venture Capital company and targeted on users of macOS to distribute malware disguised as a PDF viewer. In the final stage, the malware collected system information and transmitted it to a C2 server, and the group utilized a malware written in the Rust programming language, which had additional command execution capabilities.
Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.
2. Characteristics of SectorB Group Activities
In May 2023, activities by a total of 5 hacking groups were identified, and the groups were SectorB01, SectorB04, SectorB22, SectorB42 and SectorB53 groups.
SectorB01 group was found to be active in Australia, France, and Hong Kong. The group distributed ZIP compressed files containing Windows shortcut (LNK) format malware as part of their attack campaign. Ultimately, they infiltrated the target systems and installed Cobalt Strike, a penetration testing tool, to carry out information exfiltration activities.
SectorB04 group was found to be active in Japan. The group conducted their attack activities targeting hotels and hospitality businesses in Japan. They distributed MS Word documents disguised as content related to the impact of the Russia-Ukraine war on Japan. These documents contained a downloader function that installed malicious code, laying the groundwork for future attacks.
SectorB22 group was found to be active in the United Kingdom, Vietnam, Ukraine, Australia, Myanmar, Thailand, Slovakia, Hungary, and Israel. The group conducted their attack activities by distributing HTML files containing malicious ZIP archives. Ultimately, they installed a remote access Trojan (RAT) known as PlugX on the targeted systems, enabling them to carry out information theft.
SectorB42 group was found to be active in Hong Kong, South Korea, and Lithuania. The group targeted on government and financial institutions and conducted their attack activities by distributing various backdoors, ultimately engaging in information theft.
SectorB53 group was found to be active in Taiwan. The group targeted government agencies, education, logistics, and telecommunications sectors by distributing malware with reverse shell configuration capabilities, engaging in their attack activities.
Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.
3. Characteristics of SectorC Group Activities
In May 2023, activities by a total of 4 hacking groups were identified, and the groups were SectorC01, SectorC04, SectorC08 and SectorC13 groups.
SectorC01 group was found to be active in Ukraine, Israel, Canada, and Austria. The group utilized phishing sites disguised as portal sites providing news, media, and search engine services with the objective of stealing account information.
SectorC04 group was found to be active in the Dominican Republic. The group utilized compressed files containing DLL-format malicious code and Windows shortcut (LNK) files. They disguised the files as documentation to trick the victims into executing the Windows shortcut (LNK) files, which, upon execution, would run the malicious code in the form of DLL files located in the same path.
SectorC08 group was found to be active in Australia, Ukraine, the United States, Slovenian and Romania. The group utilized compressed files disguised as criminal lawsuit legal documents and attempted to download additional malicious files through Microsoft HTML Application (MSHTA), which allows the execution of HTA (HTML Application) files.
SectorC13 group was found to be active in Russia. The group employed MS Word (Word) malicious code disguised as instructions for evacuation in the event of an attack. If the target executes the MS Word (Word) malicious code, it downloads and executes an MS Word (Word) template containing malicious code through the technique of template injection.
Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.
4. Characteristics of SectorD Group Activities
In May 2023, activities by a total of 2 hacking groups were identified, and the groups were SectorD05 and SectorD36 groups.
SectorD05 group was found to be active in Austria, Spain, and Israel. The group utilized ASPX (Active Server Pages Extended) web shells, which are files in the form of web shells with upload, download, and command execution capabilities, to target vulnerable servers.
SectorD36 group was found to be active in Israel. The group distributed compressed files disguised as Iraq-related topics to their targets. They employed malicious code that disguised itself as a folder by changing its icon to match the folder icon, enticing the victim to open it. Ultimately, they utilized PowerShell scripts in the form of malicious code, which possessed various functionalities such as system information gathering and command control.
SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.
5. Characteristics of SectorE Group Activities
In May 2023, activities by a total of 5 hacking groups were identified, and the groups were SectorE01, SectorE02, SectorE04, SectorE05 and SectorE06 groups.
SectorE01 group was found to be active in Singapore, Romanian, Canada, and Japan.
The group deployed malicious code disguised as overseas vessel deployment plans to carry out their attack. Ultimately, they installed a botnet malware known as Amadey, which was used to exfiltrate information.
SectorE02 group was found to be active in Nepal, Israel, Australia, the United States, the United Kingdom, Pakistan, Austria, Turkey, and Sri Lanka. The group distributed malicious code disguised as a cybersecurity advisory document in Adobe PDF format to carry out their attack. Ultimately, they installed malware to exfiltrate information.
SectorE04 group was found to be active in Sri Lanka, Pakistan, and Turkey. The group targeted government institutions in South Asia by distributing MS Word documents as part of their attack campaign. Ultimately, they installed malware to establish a foothold for future attacks.
SectorE06 group was found to be active in the United Kingdom, India, Pakistan, and Netherlands. The group distributed malicious Android code disguised as a secure chat application to carry out their attack activities. They engaged in activities to steal sensitive information such as call logs, contacts, SMS messages, and location data.
Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.
6. Characteristics of SectorH Group Activities
In May 2023, activities by a total of 1 hacking groups were identified, and the groups were SectorH03 groups.
SectorH03 group was found to be active in India, the United States and Japan. The group distributed a ZIP compressed file disguised as “Saudi Delegation” and conducted attack activities to steal information.
Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.
7. Characteristics of SectorS Group Activities
In May 2023, activities by a total of 1 hacking groups were identified, and the groups were SectorS01 groups.
SectorS01 group was found to be active in Germany, Ukraine, the United States, Czech Republic, Chile, the United Kingdom, Netherlands, Romanian, Columbia, and Mexico. The group conducted attack activities by distributing spear phishing emails to manufacturing and IT companies, aiming to steal information.
Hacking activities of SectorS group activities to date is to collect advanced information on governmental activities of South American countries such as political, diplomatic, and military activities.
8. Characteristics of Cyber Crime Group Activities
In May 2023, activities by a total of 11 hacking groups were identified, and the groups were SectorJ04, SectorJ05, SectorJ06, SectorJ09, SectorJ64, SectorJ72, SectorJ74, SectorJ110, SectorJ111, SectorJ112 and SectorJ113.
Unlike other government-supported hacking groups, they steal online information that have monetary value in real life, hack specific companies and organizations to disseminate ransomwares in the intranet, or steal important industrial confidential information and demand for ransom in return.
SectorJ04 group was found to be active in the United States, India, Spain, Romanian and Taiwan. The group targeted systems exposed to the PaPerCut vulnerabilities (CVE-2023-27350, CVE-2023-27351) to steal data or distribute ransomware.
SectorJ05 group was found to be active in Malaysia, Sweden. Turkey and the United States. The malicious code used by the group has the capability to download and execute additional
malware, indicating the potential for stealing sensitive information or attempting ransomware attacks in the future.
SectorJ06 group was found to be active in Russia. The group utilized the Gazprom Ransomware to secure financial gains and employed a ransom note containing a text graphic reminiscent of Russian President Vladimir Putin.
SectorJ09 group maintains the traditional hacking method by inserting obfuscated skimming scripts into websites. These scripts collect user information such as usernames, addresses, email addresses, phone numbers, and credit card payment details on payment pages.
SectorJ64 group was found to be active in the United States and India. The SectorJ09 group attempted cryptocurrency mining on servers exposed to the Oracle WebLogic Server vulnerability (CVE-2017-3506).
SectorJ72 group was found to be active in Netherlands, Hong Kong. Indonesia, Canada, Mexico, Armenia, Servia, Hungary, Bolivia, Spain, Tunisia, Ecuador, Malaysia, Italy, Poland, Croatia, Bulgaria, Lithuania, Argentina, and the United States. The group is propagating malware through removable media, and if the target executes the malicious Windows shortcut (LNK) files present on the infected removable media, additional malware is downloaded and executed.
SectorJ74 group was found to be active in Italy, Ireland, Germany, the United States and Finland. The SectorJ09 group used spear phishing emails disguised as reservation details, attaching MS Word (Word) malicious code using the template injection technique to lure the target into executing it. Ultimately, they attempted to collect system information and gain control by using malware with remote control capabilities.
SectorJ110 group was found to be active in Russia, the United States, Spain, and Ukraine. The SectorJ09 group distributed phishing emails by attaching compressed files containing malicious JavaScript files disguised as invoices. Ultimately, they used malware with the ability to download and execute additional malicious code.
SectorJ111 group was found to be active in Saudi Arabia, the United States, Iran, Mexico, Czech Republic, Serbia, Hungary, Bangladesh, Sweden, South Korea, Finland, Vietnam, Canada, India, Chile, Romanian, Algeria, the United Kingdom, Venezuela, Italy, Kenya, Germany, Brazil, Austria, Philippines, Singapore, Qatar, France, Spain, Thailand, Japan, Palestine, Hong Kong, and China. The group distributed malware with the ability to download and execute additional malicious code through a phishing site disguised as a free software provider. If the target executes the malware, they are redirected to a phishing site impersonating Microsoft, where they are prompted to enter their credit card information.
SectorJ112 group was found to be active in the United States, Mexico, Indonesia, Thailand, Russia, North Africa, India, Angola, Philippines, Argentina, and Taiwan. The group utilized Android malware to acquire data for big data utilization and generate revenue through ad execution. They also compromised sensitive information with the intention of selling it to other hacking groups.
SectorJ113 group was found to be active in Dominican Republic, the United Kingdom, Saint Lucia, Israel, Canada, Bosnia Herzegovina, Barbados, Italy, Peru, Netherlands, Belarus, Singapore, Turkey, Costa Rica, Uzbekistan, Venezuela, Taiwan, India, Hong Kong, Egypt, Latvia, France, South Korea, Germany, China, Bahrain, Russia, and the United States. The group employed the use of Babuk Ransomware to secure financial gain. They utilized a double-extortion attack by threatening to disclose the stolen data to increase the likelihood of the victims paying the ransom.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.