This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from March 21, 2019 to April 20, 2019.
SectorB06 is a state sponsored threat actor group active especially within Asia. They have been exploiting vulnerabilities in Microsoft Office’s Equation Editor which Microsoft removed in January 2018, which in this case seems to be a highly obfuscated version of CVE-2017-11882. The malware we analyzed in this case are sent seemingly only after they already have a basic foothold in their target organizations.
Our Threat Recon team continues to collect and analyze activity-related data from multiple APT groups. We analyzed malware used in hacking activities targeting organizations located in South Korea, the US, and East Asia earlier this year.
On or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth database in Singapore where information on patients was stored. Multiple pieces and types of malware was used in this attack which took place over almost a year. This is our analysis into one of the RATs that was used.
SectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.
We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware.
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from December 21, 2018 to January 20, 2019.
In early January 2019, an email containing malware was distributed to 77 reporters from the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server located in Korea for at least 26 months continuously. We decided to group these wave of attacks under what we call “Operation Kitty Phishing”.
This is an analysis of a custom proxy utility tool used by SectorA01 in attacks on financial organizations globally over the years.
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the Threat Recon Team, based on data and information collected from November 21 to December 20, 2018.
This post introduces the blog of the NSHC Threat Recon Team.