Monthly Threat Actor Group Intelligence Report, June 2019
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.
SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
/in Threat Analysis/by ThreatRecon TeamFrom March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader.
The Growth of SectorF01 Group’s Cyber Espionage Activities
/in Threat Analysis/by ThreatRecon TeamSince 2013, there has been a hacking group receiving support from the national level which conducts cyber espionage campaigns against countries in the South China Sea. We refer to this group as SectorF01. From 2017, their activities have increased significantly. They mainly carry out these campaigns against government agencies and diplomatic, military, and research institutions in neighboring countries, and surveillance activities against opposing forces in their own countries.
Monthly Threat Actor Group Intelligence Report, May 2019
/in Monthly Report/by ThreatRecon TeamThis is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21 to May 20, 2019.
SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine
/in Threat Analysis/by ThreatRecon TeamUnlike other state sponsored threat actors, SectorC08 appears to be only concerned with a single target: Ukraine. Artifacts of their likely activity have been found as far back as 2013 and up till today their modus operandi in their initial stages of operation has not changed much.
Monthly Threat Actor Group Intelligence Report, April 2019
/in Monthly Report/by ThreatRecon TeamThis is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from March 21, 2019 to April 20, 2019.
SectorB06 using Mongolian language in lure document
/in Threat Analysis/by ThreatRecon TeamSectorB06 is a state sponsored threat actor group active especially within Asia. They have been exploiting vulnerabilities in Microsoft Office’s Equation Editor which Microsoft removed in January 2018, which in this case seems to be a highly obfuscated version of CVE-2017-11882. The malware we analyzed in this case are sent seemingly only after they already have a basic foothold in their target organizations.
Threat Actor Group using UAC Bypass Module to run BAT File
/in Threat Analysis/by ThreatRecon TeamOur Threat Recon team continues to collect and analyze activity-related data from multiple APT groups. We analyzed malware used in hacking activities targeting organizations located in South Korea, the US, and East Asia earlier this year.
SectorM04 Targeting Singapore – An Analysis
/in Threat Analysis/by ThreatRecon TeamOn or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth database in Singapore where information on patients was stored. Multiple pieces and types of malware was used in this attack which took place over almost a year. This is our analysis into one of the RATs that was used.
SectorD02 PowerShell Backdoor Analysis
/in Threat Analysis/by ThreatRecon TeamSectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.
We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware.