This is a summarized report on the activities of hacker groups, also known as Threat Actor Groups, for the period from September 21, 2023, to October 20, 2023. The report, entitled “Monthly Threat Actor Group Intelligence Report, October 2023 (JPN)”, is based on data and information gathered by NSHC’s ThreatRecon.
In October this year, activities of a total of 31 hacking groups were identified. The group SectorJ was the most active, accounting for 33% of the activities, followed by the activities of groups SectorA and SectorB.
The hacking activities of a hacking group confirmed in October this year targeted systems of individuals working in government agencies and the financial sector the most. It was identified that the majority of their hacking efforts were directed towards countries located in Europe and East Asia.
1. Distinctive Traits of SectorA Group Operations
By October 2023, the activities of a total of four hacking groups were verified. These groups are known as SectorA01, SectorA02, SectorA05, and SectorA07.
The activities of the group, SectorA01, have been identified in Singapore, India, Poland, and the United Kingdom. This collective operates by masquerading as human resources staff and using social platforms to distribute malware disguised as job-related PDF files. Once the target is enticed to execute these files, the malware collects information and performs various functions, as commanded by the attacker’s server.
The activities of the SectorA02 Group involved using malware in the form of Windows Virtual Links (LNK), masked as reports from the North Korean Supreme People’s Assembly. Ultimately, additional malware was downloaded via PowerShell commands and executed in the memory area.
The activities of the SectorA05 Group have been confirmed in South Korea, Israel, and Ireland. This group attempted to gather account information by using phishing web pages disguised as login pages of South Korean portal sites.
The activities of the group SectorA07 have been verified from South Korea and the United States. This group uses malware in the form of Windows Help files (CHM, Compiled HTML Help) that are disguised as payroll statements. Eventually, they download and execute additional malware through PowerShell commands.
The ongoing operations of the hacking group SectorA appear to be geared towards gathering confidential information related to the government activities, political and diplomatic endeavors involving South Korea. In addition, they are concurrently conducting hacking activities aimed at acquiring financial gain worldwide. The objectives of this group’s hacking pursuits have been consistent over a long period, and it is believed that their strategic hacking goals will continue unaltered for some time.
2. Characteristics of SectorB Group Operations
As of October 2023, a total of seven hacking groups were identified. These groups are known as SectorB01, SectorB08, SectorB21, SectorB22, SectorB80, SectorB82, and SectorB83.
The activities of the SectorB01 group have been confirmed in regions like Hong Kong, Taiwan, Singapore, and the United States. This group is notorious for targeting individuals working in the semiconductor industry in East Asia. They distribute malware with a loader function that executes Cobalt Strike. Their cyber-attacks involve sending commands from a C2 server to the targeted system. These commands can execute various actions like keylogging, screen capture, and extraction of system information.
The activities of the SectorB08 group involve distributing malware that has been equipped with a loader function to execute additional malware through spear-phishing emails. This approach is used to carry out attacks, where the targeted systems execute various commands as per the instructions sent from the C2 server. These commands include keylogging, screen capture, and system information theft.
The operations of the SectorB21 group have been confirmed in countries like India, Thailand, Hong Kong, Taiwan, Kazakhstan, UK, and China. This group has been engaging in offensive activities, distributing various malware apps targeting Android and Apple iOS devices. By executing commands from the C2 server on the target devices, they’ve been extracting confidential information such as device data, SMS messages, call history, and contact details.
The actions of the SectorB22 group have been verified from the United States, Thailand, and Japan. This group targets governments in Southeast Asian countries, employing various open-source tools to conduct offensive operations. They steal confidential documents and information, which are then uploaded to the file hosting service, Dropbox.
The activities of the SectorB80 group have been verified from the United States, Netherlands, and Mongolia. This group targets the foreign affairs departments of the member countries of the Association of Southeast Asian Nations (ASEAN), launching attacks by distributing various backdoor malware. They gather diverse system information from the target systems via commands from their C2 server, and remotely download malware to load additional features.
The actions of the SectorB82 group have been tracked from several countries, including Cyprus, Czech Republic, Taiwan, Hong Kong, United States, Poland, and China. This group has targeted many organizations in Taiwan’s manufacturing, IT, and biomedical sectors, carrying out offensive operations with the goal of gathering information.
The group known as SectorB83 has engaged in malicious activities by exploiting a non-public vulnerability (CVE-2023-22515) in the Atlassian Confluence’s Data Center and Server instance.
The ongoing activities of the SectorB hacking group are believed to be focused on gathering classified information related to government operations such as politics and diplomatic activities, targeting entities worldwide.
3. Unique Aspects of SectorC Group Activities
In October 2023, the activities of a total of three hacking groups were observed. These groups were identified as SectorC01, SectorC04, and SectorC08.
The activities of the group known as SectorC01 have been confirmed in countries such as Portugal, Romania, Israel, and the Czech Republic. This group employs malware disguised as published bibliographic files, exploiting a vulnerability (CVE-2023-38831) in the compression software WinRAR. Ultimately, it has been found that they use a PowerShell script with browser data hijacking and remote control capabilities.
The activity of the group known as SectorC04 has been confirmed in various countries such as the United States, Slovakia, Poland, India, Peru, Switzerland, and the Czech Republic. This group utilized malware disguised as a PDF file notifying about vehicle sales for diplomats. Additionally, they exploited a vulnerability (CVE-2023-38831) in the WinRAR compression software, eventually downloading and executing malware in the PowerShell file format.
The activities of the SectorC08 group have been verified from Ukraine and China. This group tried to steal information using UltraVNC, a remote control tool, by deploying malware disguised as military-related documents.
The ongoing operations of the hacking group SectorC are believed to be aimed at gathering confidential information related to political, diplomatic, and governmental activities from governments worldwide, including those neighboring the government supporting this group.
4. The Unique Operations of the SectorD Group
In October 2023, the activities of two hacking groups were identified. These groups are known as SectorD01 and SectorD02.
The activities of the SectorD01 group have been verified from Russia, the Netherlands, the USA, and Israel. This group uses MS Word malware disguised as vehicle license applications. The malware, once executed, collects user names, computer names, and local domain names and performs various functions dictated by the attacker’s server command.
The actions of the SectorD02 group have been verified from sources in Israel and Australia. This group uses malware disguised as Windows help files (CHM, or Compiled HTML Help) that appear to be HR-related documents. Through PowerShell commands, they download and execute malware in the form of VBS (Visual Basic Script) files.
The hacking collective known as SectorD primarily targets nations embroiled in political disputes. Recently, it’s been speculated that SectorD’s main objective is to gather sensitive information related to the political and diplomatic activities of various countries. They are also known to target individuals who oppose the government backing this group.
5. Identifying the Characteristics of SectorE Group Activities
By October 2023, the activities of three distinct hacking groups were identified. These groups are known as SectorE02, SectorE04, and SectorE05.
The activities of the SectorE02 group have been confirmed from Pakistan. This group has been conducting their attacks by distributing MS Word files disguised as protected documents. They make the target system download additional malware from an external server and execute it, thereby establishing a foothold for future attacks.
The activities of the SectorE04 group were confirmed from Hong Kong. This group carried out its attacks by distributing a disguised version of MS Word, masquerading as a resume update. They then executed various commands on the target system, guided by the commands from their C2 server.
The activities of the group SectorE05 have been confirmed originating from Singapore and Mongolia. This group targets government agencies, conducting offensive operations by sending Spear-Phishing Emails. They download and execute additional malware from external servers onto the target’s systems, thus securing a foothold for future attacks.
The ongoing activities of the hacking group, SectorE, have been analyzed and found to primarily focus on gathering confidential information related to politics, diplomacy, and military activities, which support the governments associated with this group. However, recently, it’s been observed that their operations are expanding into East Asia, including China, and other regions. This expansion seems to be gradually increasing their efforts towards obtaining confidential information related to politics, diplomacy, and technology.
6. Distinctive Features of SectorH Group Activities
In October 2023, it was confirmed that a total of one hacking group was active, known as the SectorH03 group.
The activities of the SectorH03 group have been confirmed in both Pakistan and the United States. This group conducts its offensive operations by distributing MS PowerPoint and MS Word files disguised as protected documents. The group executes various commands such as system information theft, keylogging, and screen capture, which are transmitted from the C2 server to the target system.
The SectorH hacking group is engaged in a dual-purpose operation, focusing both on cybercrimes and hacking efforts supported by a government. What’s particularly intriguing is that this group is believed to maintain its activities aimed at stealing military and political confidential information from neighboring government agencies, primarily due to ongoing diplomatic conflicts with the government supporting this group.
7. Characteristics of Cybercrime Group Activities
In October 2023, the activities of a total of 15 hacking groups were confirmed. These groups were identified as SectorJ03, SectorJ06, SectorJ09, SectorJ12, SectorJ39, SectorJ55, SectorJ64, SectorJ68, SectorJ90, SectorJ94, SectorJ110, SectorJ125, SectorJ127, SectorJ128, and SectorJ130.
Unlike hacking groups that operate under government support, this group carries out its activities differently. They seek to secure financial gains in the real world by stealing valuable information online. After hacking into specific companies or organizations, they distribute ransomware within the internal network. They also engage in blackmail activities, demanding money under the pretext of having stolen critical industrial secrets.
This group stands apart from other hacking groups that operate with the support of other governments. Instead of that, they engage in activities such as stealing online information that could yield financial gains in the real world, hacking into specific companies or organizations to distribute ransomware in their internal networks, or seizing vital industrial secrets to demand money under that pretext.
The activities of the SectorJ03 group have been confirmed from both Palestine and the United States. This group employs malware disguised as the Windows Media Provisioning Plugin. The ultimate malware executed can download and run additional malware, performing various functions by the commands of the attacker’s server. These functions could include keylogging and screen capture, among others.
Activities of the group SectorJ06 have been confirmed from Russia, the United States, and Hong Kong. This group targeted individuals working in the medical field, attempting cyber attacks using RaaS (Ransomware-as-a-Service).
The group known as SectorJ09 targeted a wide array of websites, including those in the food and retail sectors. They tried to insert obfuscated skimming scripts to extract various information from payment pages. This information included usernames, addresses, emails, and credit card payment details.
The Group SectorJ12, based on the domains and IP addresses they’ve previously utilized, has managed to secure additional domains through supplementary analysis. These new domains include ones that start with ‘avast’ and contain ‘debian’ string.
The activities of the group known as SectorJ39 have been confirmed to originate from Azerbaijan. This group utilizes malware disguised as a PDF file related to the conflict between Azerbaijan and Armenia, which is actually an HTML file format. The end game of this malware is to collect system information and transmit it, demonstrating its sophisticated design.
The activities of the Group SectorJ55 have been affirmed from the United States, South Korea, China, Canada, and Iran. This group targets Docker and Redis servers that are accessible from the external internet, utilizing crypto miner malware for the purpose of virtual asset mining.
The activities of the SectorJ64 group have been confirmed from China, Mexico, South Korea, and Peru. Due to security configuration flaws, this group targeted Radis servers that could be accessed from the external internet without authentication. Unauthorized access was attempted using WebShell.
The activities of the group known as SectorJ68 have been confirmed to be originating from France. This group utilizes malware that uses a Cloud-based internet messenger, Telegram’s Bot, as a C2 server. It has capabilities to gather and steal system information.
The activities of the SectorJ90 group have been confirmed in countries such as the United States, Germany, Luxembourg, India, and Ukraine. This group uses malware in the form of Portable Executable (PE) files, disguised as image files related to the day of the Republic of Tatarstan. They collect system information and, if it’s determined that additional attacks are necessary, they distribute more malware with remote control capabilities.
The activities of the SectorJ94 group were confirmed from Australia. This group utilized malware in the form of Windows shortcuts (LNK), disguised as PDF files related to manufacturing technology.
The activities of the group SectorJ110 have been verified from Ukraine, Hong Kong, Germany, and the United Kingdom. This group uses malware disguised as JavaScript files, which are attached to phishing emails as invoices. Ultimately, this malware is designed to download and execute additional malware.
The activities of the group SectorJ125 have been confirmed from the United States. This group sent phishing messages containing WSF (Windows Script File) malware via Microsoft Teams. Eventually, they used malware with a command control feature to seize control of the target system’s permissions.
Activities of the SectorJ127 group have been confirmed to originate from China. This group uses malware disguised as a Red Cross blood donation promotion in an MS Word document. When the target opens the MS Word malware, an encrypted macro is activated internally. The end-result malware, once executed, collects diverse system information and performs various functions as commanded by the attacker’s server.
The activities of the SectorJ128 group have been confirmed in both China and France. This group operates by using PDF files disguised as resumes, which contain download links for compressed files. These compressed files, in turn, contain malware in the form of Windows shortcuts (LNK). The malware then executes more malware in the DLL file format.
Activities of the group SectorJ130 have been identified in the United States, UK, Turkey, Ukraine, Israel, Malaysia, Russia, Poland, Cyprus, Philippines, and Italy. This group has been known for distributing malware through instant messaging platforms like Skype and Microsoft Teams. They’ve been spreading malware in the form of VBS (Visual Basic Script) files and Windows shortcuts (LNK).
The comprehensive analysis, encompassing each occurrence along with IoCs (Indicators of Compromise) and suggestions, can be accessed by current NSHC ThreatRecon clients. For further details, feel free to reach out to [email protected].