In the first quarter of 2024, Advanced Persistent Threat (APT) groups from diverse global regions, including China, North Korea, Iran, and Russia, demonstrated a surge in dynamic and innovative cyber activities, posing significant challenges to the global cybersecurity landscape.
Starting with Iran, groups like ‘Homeland Justice’ and ‘Mint Sandstorm’ escalated their espionage efforts by targeting governmental and academic institutions across the West and Middle East, with sophisticated phishing and novel malware, including MediaPI and MischiefTut. Additionally, ‘Charming Kitten’ advanced its social engineering tactics through a counterfeit webinar platform, and the Tortoiseshell group intensified its focus on the aerospace and defense sectors in the Middle East, illustrating a broad and strategic enhancement of Iran’s cyber capabilities.
Moving to Russia, state-sponsored actors such as APT29 accessed high-value targets, including Microsoft, compromising corporate emails and source code repositories. This group also shifted focus towards European political arenas amidst regional tensions, targeting German political parties with the newly developed WINELOADER backdoor. Meanwhile, the Gamaredon Group maintained its sophisticated attacks against the Ukrainian military, and APT28 leveraged vulnerabilities in Ubiquiti EdgeRouters to create extensive botnets, demonstrating Russia’s adaptability and strategic depth in cyber operations.
Chinese groups like Earth Lusca, Evasive Panda, and Earth Krahang highlighted a sophisticated approach to cyber espionage. Earth Lusca leveraged geopolitical tensions with Taiwan through targeted spear-phishing campaigns; Evasive Panda exploited the Tibetan diaspora during the Monlam Festival with trojanized software, and Earth Krahang conducted comprehensive attacks on global government entities. These operations exploited vulnerabilities and leveraged compromised systems for extensive intelligence gathering, underscoring the strategic and aggressive pursuit of intelligence by Chinese state-sponsored actors.
Lastly, North Korean groups – notably Kimsuky and Lazarus Group – significantly advanced their espionage tactics. Kimsuky expanded its reach across the APAC region using sophisticated malware deployment techniques to maintain covert access along with creating supply chain attack opportunities using PyPI software repositories. Simultaneously, Lazarus Group exploited a new Windows kernel vulnerability to enhance their FudModule rootkit, facilitating deep system manipulation and evading advanced security measures.
This report provides a comprehensive analysis of the dynamic APT activities observed in Q1 2024, highlighting the imperative for ongoing vigilance, user education, and prompt software updates in the ever-evolving cybersecurity landscape.
Targeted Country
Targeted Technology
Targeted Industries
In the first quarter of 2024, the Iranian-associated hacking collective, Homeland Justice, acknowledged conducting a cyber assault on Albania’s Institute of Statistics (INSTAT). This offensive led to significant disruptions of INSTAT’s website and email functionalities, compelling a delay in the publication of crucial official statistics. Homeland Justice claimed it had infiltrated the institute’s digital repositories, purportedly exfiltrating more than 100TB of sensitive data, encompassing geographical and demographic details. However, the authenticity of this assertion has not been confirmed. Despite these alarming developments, INSTAT confirmed that the recent census data remained secure. This attack on Albania may have been in retaliation for the nation providing refuge to members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, within its borders.
T1190: Exploit Public-Facing App, T1505.003: Server Software Component: Web Shell, T1021.001: Remote Services: Remote Desktop Protocol, T1078.001: Valid Accounts: Default Accounts, T1210: Exploitation of Remote Services, T1021: Remote Services, T1071.004: Application Layer Protocol: DNS, T1021.006: Remote Services: Windows Remote Management, T1003.001: OS Credential Dumping: LSASS Memory, T1486: Data Encrypted for Impact, T1564.001: Hide Artifacts: Hidden Files and Directories
In early 2024, an Iranian-associated threat group, known for executing sophisticated espionage campaigns targeting a diverse array of organizations, shifted its focus towards research entities and academic institutions specializing in Middle Eastern affairs. This group, identified as Mint Sandstorm and linked to Iran’s Islamic Revolutionary Guard Corps, launched attacks across several countries including the United States, the UK, Gaza, and Israel, among others, introducing a novel custom backdoor dubbed MediaPI. This campaign employed phishing tactics alongside their proprietary backdoor to infiltrate systems. In some instances, victims were baited with a VBS file used by Mint Sandstorm to maintain access to the infiltrated systems. The attackers utilized two distinct backdoors: MediaPI, ingeniously masqueraded as Windows Media Player, and MischiefTut, a PowerShell backdoor capable of data exfiltration and downloading additional malicious tools. Mint Sandstorm’s operational prowess is evident in its continuous evolution, adapting both tools and tactics to breach high-profile targets effectively. The latest series of attacks were notably marked by the exploitation of the Israel-Hamas conflict, wherein attackers masqueraded as journalists and other notable figures, using seemingly benign emails to establish trust. This preliminary rapport-building phase was critical before deploying malware to their intended targets.
T1566.003: Phishing: Spear phishing via Service, T1078.004: Valid Accounts – Cloud Accounts, T1204.002: User Execution – Malicious File, T1059.001: Command and Scripting Interpreter – PowerShell, T1053.005: Scheduled Task/Job: Scheduled Task, T1112: Modify Registry, T1564.001: Hide Artifacts – Hidden Files and Directories, T1559.001: Inter-Process Communication – Component Object Model, T1547.001: Boot or Logon Auto start Execution – Registry Run Keys / Startup Folder
In another campaign, Charming Kitten has initiated a series of cyberattacks targeting experts on Middle Eastern policy, employing a novel backdoor named BASICSTAR under the guise of a counterfeit webinar platform. This group is notorious for its unconventional social engineering strategies, which often involve initiating extended email conversations with targets to build rapport before disseminating malicious links. In their latest campaign, Charming Kitten impersonated the Rasanah International Institute for Iranian Studies (IIIS), leveraging this identity to establish credibility and trust with their targets. The phishing efforts are further sophisticated by hijacking legitimate email accounts and employing a technique known as Multi-Persona Impersonation, utilizing multiple email accounts controlled by the attackers. These phishing attacks commonly utilize RAR archives containing LNK files to begin the malware distribution process, enticing targets with invitations to fictitious webinars tailored to their interests. Notably, a complex infection chain involving BASICSTAR alongside KORKULOADER, a PowerShell script designed to download further malicious payloads, exemplifies the group’s intricate methods of compromising systems.
T1566.002: Spear phishing Link, T1204: User Execution, T1574: Hijack Execution Flow, T1027: Obfuscated Files or Information, T1087: Account Discovery, T1213: Data from Information Repositories, T1105: Ingress Tool Transfer, T1041: Exfiltration Over C2 Channel
In Q1 2024, the Tortoiseshell group, affiliated with the Iranian Revolutionary Guard Corps (IRGC), has been engaging in sophisticated cyber operations targeting the aerospace, aviation, and defense sectors within the Middle East, specifically in Israel, the United Arab Emirates (UAE), and possibly extending to Turkey, India, and Albania. Employing deceptive tactics, such as spreading political messages and advertising fake technical job opportunities, Tortoiseshell aims to infiltrate and compromise the systems of its targets. This strategy includes prior attempts to disrupt the supply chains of defense contractors and IT service providers. The connection to the IRGC underscores the strategic importance of these cyberattacks, especially against the backdrop of heightened tensions following the Israel-Hamas conflict. Researchers tracking Tortoiseshell’s activities have noted the group’s sophisticated use of evasion techniques, including leveraging Microsoft Azure cloud services and social engineering to distribute two distinctive backdoors, named MINIBIKE and MINIBUS, further highlighting the group’s adaptability and focus on high-value defense-related targets.
T1566.002: Spearphishing Link, T1589.001: Gather Victim Identity Information-Credentials, T1547.001: Boot or Logon Autostart Execution-Registry Run Keys / Startup Folder, T1059: Command and Scripting Interpreter, T1105: Ingress Tool Transfer, T1071.004: Application Layer Protocol: DNS, T1027: Obfuscated Files or Information, T1550.002: Use Alternate Authentication Material: Pass the Hash, T1583.002: Acquire Infrastructure: DNS Server
Additional observations indicate that Iran is intensifying its cyber warfare capabilities, particularly targeting its adversaries in the Middle East while enhancing its cyberattack tactics. Notably, Iran-linked cyber-operations groups are increasingly targeting IT services firms, viewing them as gateways to infiltrate the networks of government clients. The intelligence gathered from these incursions holds strategic importance for Iran, serving as potential leverage for espionage activities and potentially even kinetic operations. This escalation underscores Iran’s growing prowess and determination in the realm of cyber warfare, posing significant challenges to regional stability and security.
Targeted Country
Targeted Technology
Targeted Industries
Researchers have detected the Russian state-sponsored actor Nobelium engaging in a sophisticated cyberattack targeting Microsoft, employing a password spray technique to breach a non-production test tenant account. Subsequently, they leveraged this foothold to access a limited number of Microsoft corporate email accounts, including those of senior leadership and personnel in cybersecurity, legal, and other departments, pilfering emails and attached documents. Initially focused on extracting information related to Midnight Blizzard, their activities expanded to unauthorized access attempts on the company’s source code repositories and internal systems. The sustained and well-coordinated nature of Midnight Blizzard’s attack underscores a significant commitment of resources and strategic focus, potentially aimed at reconnaissance to bolster future attacks.
T1588.002: Obtain Capabilities – Tool, T1548.002: Abuse Elevation Control Mechanism – Bypass User Account Control, T1552.004: Unsecured Credentials – Private Keys, T1078.002: Valid Accounts – Domain Accounts, T1110.003: Brute Force – Password Spraying, T1203: Exploitation for Client Execution, T1595: Active Scanning
Researchers recently uncovered another campaign led by APT29 targeting political parties in Germany, a notable departure from their typical focus on governmental and diplomatic entities. APT29, employed a phishing campaign in late February 2024, introducing a new backdoor variant called WINELOADER, signaling an expanded operational scope. Phishing emails posing as invitations to a Christian Democratic Union (CDU) dinner reception were distributed, containing links to malicious ZIP files hosted on compromised websites. These ZIP files delivered the ROOTSAW dropper, which deployed the WINELOADER payload. This marks the first instance of APT29 targeting political parties, highlighting a shift in their interests. The WINELOADER backdoor, previously observed in January 2024, shares traits with other APT29 malware, suggesting a common origin. Targeting political parties poses a potential threat to European and Western political organizations, particularly amid the ongoing conflict between Russia and Ukraine. Germany’s consistent condemnation of Russian aggression and its support for Ukraine make it a conceivable target for state-sponsored Russian threat actors seeking to infiltrate political systems to gather intelligence, complementing data obtained from government departments. Understanding these actors’ objectives and strategic considerations is paramount in anticipating their potential actions.
T1543.003: Windows Service, T1012: Query Registry, T1082: System Information Discovery, T1134: Access Token Manipulation, T1057: Process Discovery, T1007: System Service Discovery, T1027: Obfuscated Files or Information, T1070.004: File Deletion, T1055.003: Thread Execution Hijacking, T1083: File and Directory Discovery
A highly sophisticated Russian advanced persistent threat (APT) group has initiated a meticulously planned PowerShell attack campaign directed at the Ukrainian military, demonstrating a history of persistent targeting driven by geopolitical, espionage, and disruptive motives. Employing the SUBTLE-PAWS PowerShell-based backdoor, the threat actors infiltrate and compromise targeted systems, enabling unauthorized access, command execution, and persistent presence within compromised networks. The attack strategy involves disseminating malicious payloads through compressed files distributed via phishing emails, with malware propagation and lateral movement facilitated through USB drives, circumventing the need for direct network access. What sets SUBTLE-PAWS apart is its reliance on off-disk/PowerShell stagers for execution, eschewing traditional binary payloads, and employing advanced obfuscation and evasion techniques, such as encoding, command splitting, and registry-based persistence to evade detection. Establishing command and control (C2) via Telegram communication with a remote server, the group adapts its methods using DNS queries and HTTP requests with dynamically stored IP addresses. The attack is initiated by the execution of a malicious shortcut (.lnk) file, triggering the loading and execution of a new PowerShell backdoor payload code embedded within another file within the same compressed archive.
T1027.010: Obfuscated Files or Information: Command Obfuscation, T1070.004: Indicator Removal – File Deletion, T1140: Deobfuscate/Decode Files or Information, T1059.001: Command and Scripting Interpreter – PowerShell, T1204.001: User Execution – Malicious Link, T1547.001: Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder, T1132.001: Data Encoding – Standard Encoding, T1573: Encrypted
APT28 has been observed utilizing compromised Ubiquiti EdgeRouters to bypass detection, prompting a joint advisory from the FBI, NSA, U.S. Cyber Command, and international partners. Exploiting these widely used routers enables APT28 to construct extensive botnets, facilitating the theft of credentials, NTLMv2 digests, and the proxying of malicious traffic. Moreover, these hijacked routers serve as hosts for custom tools and phishing landing pages within covert cyber operations targeting various entities globally, including militaries and governments. Given that EdgeRouters often come with default credentials and minimal firewall protections, coupled with the absence of automatic firmware updates, they present vulnerabilities exploited by APT28. With root access to compromised routers, APT28 gains unrestricted access to Linux-based operating systems, enabling them to install tools and obfuscate their identities during malicious campaigns. The FBI’s investigation of compromised routers uncovered APT28 tools and artifacts, including Python scripts for webmail credential theft, programs for harvesting NTLMv2 digests, and custom routing rules diverting phishing traffic to dedicated attack infrastructure. Russian hackers have a track record of focusing on Internet routing equipment as a means to execute man-in-the-middle attacks, supporting espionage campaigns, establishing persistent access within victims’ networks, and laying the groundwork for further offensive operations.
T1587: Develop Capabilities, T1588: Obtain Capabilities, T1584: Compromise Infrastructure, T1566: Phishing, T1203: Exploitation for Client Execution, T1546: Event Triggered Execution, T1557: Adversary-in-the-Middle, T1556: Modify Authentication Process, T1119: Automated Collection, T1020: Automated Exfiltration
Additionally, as organizations undergo modernization efforts, transitioning towards a cloud-based infrastructure, the SVR has adeptly adapted to this evolving operational landscape. Departing from traditional methods of initial access, such as exploiting software vulnerabilities within on-premises networks, they have shifted their focus towards targeting cloud services directly.
Targeted Country
Targeted Technology
Targeted Industries
In late February 2024, researchers uncovered a new campaign organized by the China-linked threat actor Earth Lusca, known for its evolving tactics since at least 2020. This recent operation exploited tensions between China and Taiwan, leveraging a lure document discussing geopolitical issues to infect targeted entities. The campaign, believed to be active from December 2023 to January 2024, is suspected to be initiated with spear phishing emails containing a malicious archive file named “China_s gray zone warfare against Taiwan.7z.” The archive comprises two Windows shortcut files (.LNK) and a “__MACOS” subfolder, reminiscent of a legitimate macOS directory “__MACOSX”. However, this subfolder conceals a malicious payload, featuring JavaScript files “_params.cat.js” and “_params2.cat.js”. In the first stage, LNK files execute JavaScript code from “__MACOS”, concealing the script path with 255 space characters. Subsequently, the second stage employs Dean Edward’s JavaScript Packer for obfuscation. The third stage involves dropping a text file with a Microsoft Cabinet File signature, and decoding a hexadecimal string to unpack the cabinet archive. This archive contains decoy files, a signed legitimate executable (pfexec.exe), and a malicious DLL library. Finally, the DLL library functions as a stageless Cobalt Strike payload, featuring notable parameters from the embedded configuration. Additionally, a leaked dataset linked to the Chinese company I-Soon revealed overlaps in victim targeting, malware usage, and geographic location with Earth Lusca, implying potential collaboration or shared resources between the two entities. This underscores the sophistication and interconnected nature of threat actors operating in the cyber landscape.
T1566.002: Spear-phishing Link T1059.003: Windows Command Shell T1059.007: JavaScript T1204.001: Malicious Link T1204.002: Malicious File T1140: Deobfuscate/Decode Files or Information T1564.001: Hidden Files and Directories T1574.001: DLL Search Order Hijacking T1202: Indirect Command Execution T1036.007: Double File Extension T1027.002: Software Packing T1027.009: Embedded Payloads T1027.012: LNK Icon Smuggling T1083: File and Directory Discovery T1132: Data Encoding T1001: Data Obfuscation T1573: Encrypted Channel T1041: Exfiltration Over C2 Channel
In early March 2024, researchers uncovered a cyberespionage campaign conducted by the Chinese APT group Evasive Panda, also known as BRONZE HIGHLAND, which has been active since 2012, targeting individuals and government entities in China, Hong Kong, and Southeast Asia. This recent campaign specifically targeted Tibetans across various countries and territories, exploiting the Monlam Festival, a religious gathering, as a focal point. Evasive Panda compromised the website of the festival organizer, Kagyu International Monlam Trust, to conduct watering-hole attacks, enticing users to download malicious files disguised as fixes. Additionally, they compromised the supply chain of a Tibetan software company, distributing trojanized installers of Tibetan language translation software. The attackers are seen targeting users in India, Taiwan, Hong Kong, Australia, and the United States. They deployed various malicious tools, including MgBot, a modular backdoor enabling spying and enhanced access, as well as a newly discovered backdoor named Nightdoor, first observed in 2020. Nightdoor communicates with its command and control (C&C) server via the Google Drive API, encrypting communication using an OAuth 2.0 token.
T1583.004: Acquire Infrastructure: Server T1583.006: Acquire Infrastructure: Web Services T1584.004: Compromise Infrastructure: Server T1585.003: Establish Accounts: Cloud Accounts T1587.001: Develop Capabilities: Malware T1588.003: Obtain Capabilities: Code Signing Certificates T1608.004: Stage Capabilities: Drive-by Target T1189: Drive-by Compromise T1195.002:Supply Chain Compromise: Compromise Software Supply Chain T1106: Native API T1053.005: Scheduled Task/Job: Scheduled Task T1543.003: Create or Modify System Process: Windows Service T1574.002: Hijack Execution Flow: DLL Side-Loading T1140: Deobfuscate/Decode Files or Information T1562.004: Impair Defenses: Disable or Modify System Firewall T1070.004: Indicator Removal: File Deletion T1070.009: Indicator Removal: Clear Persistence T1036.004: Masquerading: Masquerade Task or Service T1036.005: Masquerading: Match Legitimate Name or Location T1027.009: Obfuscated Files or Information: Embedded Payloads T1055.001: Process Injection: Dynamic-link Library Injection T1620: Reflective Code Loading T1083: File and Directory Discovery T1057: Process Discovery T1012: Query Registry T1518: Software Discovery T1033: System Owner/User Discovery T1082: System Information Discovery T1560: Archive Collected Data T1119: Automated Collection T1005: Data from Local System T1074.001: Data Staged: Local Data Staging and Control T1071.001: Application Layer Protocol: Web Protocols T1095: Non-Application Layer Protocol T1102: Web Service T1020: Automated Exfiltration
In the first quarter of 2024, researchers uncovered an ongoing APT campaign attributed to Earth Krahang, a sophisticated threat actor associated with China, operational since early 2022. Earth Krahang meticulously targets government entities worldwide, especially in Southeast Asia but extends its operations globally, including Europe, America, and Africa. Although independent from Earth Lusca, another China-linked threat actor, they share certain infrastructure and methodologies. Employing sophisticated techniques, Earth Krahang exploits vulnerabilities in public-facing servers using open-source scanning tools like sqlmap, nuclei, xray, and wordpressscan, conducting recursive searches and brute-forcing directories for sensitive information. They exploit vulnerabilities such as CVE-2023-32315 and CVE-2022-21587, and spear phishing emails with geopolitical topics’ attachments or links for initial access. Trust exploitation between governments sees Earth Krahang utilizing compromised government servers and email accounts, often employing legitimate government domains to host backdoors and send spear-phishing emails to evade detection. Post-exploitation activities include installing SoftEther VPN, enabling Remote Desktop connections, and accessing credentials via Mimikatz or ProcDump, with lateral movement via WMIC and privilege escalation using vulnerabilities on Windows and Linux systems. Brute force attacks on Exchange servers and tools like ruler facilitate compromising email accounts for exfiltration. Their targeting strategy encompasses government organizations as primary targets, with a particular focus on Foreign Affairs ministries, alongside sectors like education, telecommunications, post offices, logistics platforms, and job services.
T1595.001: Active Scanning: Scanning IP Blocks T1595.002: Active Scanning: Vulnerability Scanning T1595.003: Active Scanning: Wordlist Scanning T1592: Gather Victim Host Information T1590: Gather Victim Network Information T1583.001: Acquire Infrastructure: Domains T1583.003: Acquire Infrastructure: Virtual Private Server T1586.002: Compromise Accounts: Email Account T1584.004: Compromise Infrastructure: Server T1588.001: Obtain Capabilities: Malware T1588.003: Obtain Capabilities: Code Signing Certificates T1608.001: Stage Capabilities: Upload Malware T1608.002: Stage Capabilities: Upload Tool T1608.005: Stage Capabilities: Link Target T1190: Exploit Public-Facing Application T1566.001: Phishing: Spear phishing Attachment T1566.002: Phishing: Spear phishing Link T1199: Trusted Relationship T1078: Valid Accounts T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1203: Exploitation for Client Execution T1569.002: System Services: Service Execution, T1204.002: User Execution: Malicious File T1047: Windows Management Instrumentation T1543.003: Create or Modify System Process: Windows Service T1133: External Remote Services T1053.005: Scheduled Task/Job: Scheduled Task T1505.003: Server Software Component: Web Shell T1068: Exploitation for Privilege Escalation T1078.003: Valid Accounts: Local Accounts T1140: Deobfuscate/Decode Files or Information T1574.002: Hijack Execution Flow: DLL Side-Loading T1036.005: Masquerading: Match Legitimate Name or Location T1112: Modify Registry T1539: Steal Web Session Cookie T1087.001: Account Discovery: Local Account T1087.002: Account Discovery: Domain Account T1069.002: Permission Groups Discovery: Domain Groups T1057: Process Discovery T1033: System Owner/User Discovery T1007: System Service Discovery T1210: Exploitation of Remote Services T1534: Internal Spear phishing T1021.006: Remote Services: Windows Remote Management T1119: Automated Collection T1071.001: Application Layer Protocol: Web Protocols T1573.001: Encrypted Channel: Symmetric Cryptography T1020: Automated Exfiltration
Targeted Country
Targeted Technology
Targeted Industries
At the beginning of Q1 2024, researchers noted a significant evolution in the tactics employed by the Kimsuky threat actor group, also recognised as Black Banshee or Thallium, originating from North Korea and active since at least 2012. The researchers have observed a noticeable shift in Kimsuky’s approach, incorporating advanced techniques to circumvent modern security measures. Initially focused on targeting South Korean government entities and individuals linked to the Korean peninsula’s unification process, Kimsuky has expanded its operations across the APAC region, including countries like Japan, Vietnam, and Thailand. Their latest campaign demonstrates the utilization of CHM files distributed within various containers such as ISO, VHD, ZIP, or RAR files, enabling them to evade initial security barriers. Upon execution, these CHM files initiate VBScript execution through ActiveX, facilitating persistence through registry modifications. Additionally, they employ living-off-the-land techniques, utilizing WMI to gather system details and exfiltrating data to remote servers encoded in Base64 format.
T1059.003: Command and Scripting Interpreter: Windows Command Shell T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1041: Exfiltration Over C2 Channel T1036: Masquerading T1082: System Information Discovery T1566.001: Phishing: Spear phishing Attachment
Also, at the end of February 2024, researchers discovered TODDLERSHARK, a malware resembling BABYSHARK associated with Kimsuky. Exploiting ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709, attackers gained access and downloaded heavily obfuscated VB script payloads. These payloads, with constantly changing code and URLs, evade detection. The malware modifies registry keys to enable untrusted macros, aiding in potential future attacks. Its primary function is information theft, utilizing multiple cmd.exe instances to capture system details, including network, security software, and running processes. Captured data is encoded in PEM format and exfiltrated via C2 servers, a technique previously used by Kimsuky. The malware also sets up scheduled tasks for further payload delivery. Similarities in code and functionality suggest TODDLERSHARK is a variant of BABYSHARK.
T1132.001: Data Encoding: Standard Encoding T1053.005: Scheduled Task/Job: Scheduled Task T1218.005: System Binary Proxy Execution: Mshta T1027.010: Obfuscated Files or Information: Command Obfuscation T1059.003: Command and Scripting Interpreter: Windows Command Shell
At the same time, researchers discovered a new malware named “Troll Stealer,” believed to be from the Kimsuky group, distributed via a security program download page in South Korea. The malware, written in Go language, operates as an info-stealer, disguised within a Dropper named TrustPKI installer from SGA Solutions. The Dropper and malware are both signed with a legitimate certificate from “D2innovation Co.,LTD,” indicating a potential certificate theft. Troll Stealer targets South Korean administrative and public organizations, evidenced by its ability to steal GPKI folders. Its functionalities include stealing SSH, FileZilla, browser, system information, and screen captures, sent to a C&C server after encryption, using RC4 and RSA algorithms. Additionally, another Go-based backdoor, “GoBear,” signed with the same certificate, was identified, adding SOCKS5 proxy functionality, possibly indicating expanded capabilities by the Kimsuky group or collaboration with other threat actors. The reuse of mutexes and code similarities further support the attribution to the Kimsuky group.
T1588.004: Obtain Capabilities: Digital Certificates T1204.002: User Execution: Malicious File T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1027.002: Obfuscated Files or Information: Software Packing T1555.003: Credentials from Password Stores: Credentials from Web Browsers T1539: Steal Web Session Cookie T1057: Process Discovery T1087.001: Account Discovery: Local Account T1083: File and Directory Discovery T1518.001: Software Discovery: Security Software Discovery T1082: System Information Discovery T1016: System Network Configuration Discovery T1005: Data from Local System T1113: Screen Capture T1560: Archive Collected Data T1071.001: Application Layer Protocol: Web Protocols
At the end of Q1 2024, the research team uncovered a sophisticated, multi-stage attack campaign named DEEP#GOSU, attributed to the Kimsuky group. This campaign employs advanced techniques, including PowerShell and VBScript stagers, to infiltrate systems silently and maintain persistence. Utilizing legitimate services like Dropbox for command and control communication enables the attackers to blend into regular network traffic and evade detection. The initial stage involves shortcut files (.lnk) containing embedded PowerShell scripts, which execute an embedded PDF lure document while downloading further malicious code from Dropbox.
Subsequent stages entail the execution of downloaded payloads, including the TruRat remote access Trojan (RAT), alongside additional PowerShell and VBScript scripts for system enumeration, keylogging, clipboard monitoring, and data exfiltration. Employing encryption techniques and dynamic payload loading enhances evasion of detection and analysis, showcasing a high level of sophistication and difficulty in mitigation. The malware’s capabilities encompass keylogging, remote desktop access, microphone and camera spying, and password management, indicating its potential for extensive surveillance and control over infected systems. This campaign demonstrates persistence and sophistication through a combination of PowerShell, VBScript, and RAT software, aiming to evade traditional security measures while maintaining covert access to compromised systems.
T1027.010: Obfuscated Files or Information: Command Obfuscation T1070.004: Indicator Removal: File Deletion T1140: Deobfuscate/Decode Files or Information T1057: Process Discovery T1082: System Information Discovery T1083: File and Directory Discovery T1059.001: Command and Scripting Interpreter: PowerShell T1059.005: Command and Scripting Interpreter: Visual Basic T1204.001: User Execution: Malicious Link T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage T1053 – Scheduled Task/Job T1102: Web Service T1132.001: Data Encoding: Standard Encoding T1219 – Remote Access Software T1573: Encrypted Channel T1115 – Clipboard Data T1056.001 – Input Capture: Keylogging
In March 2024, researchers observed significant advancements in the tactics and techniques of the Lazarus group aka Hidden Cobra, a North Korean threat actor. They exploited a Windows kernel privilege escalation vulnerability, CVE-2024-21338, during a zero-day attack, enhancing their FudModule rootkit with new functionality. This updated rootkit directly manipulates kernel objects, employing a handle table entry manipulation technique to suspend Protected Process Light (PPL) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. Lazarus also disabled crucial security features like register callbacks and object callbacks to evade detection by security products. Additionally, the rootkit targets specific antivirus programs and disables image verification callbacks to deploy malicious drivers effectively. These advancements underscore Lazarus’ technical sophistication and highlight the ongoing challenge posed by this advanced persistent threat group.
T1068: Exploitation for Privilege Escalation T1190: Exploit Public-Facing Application T1112: Modify Registry T1574.013: Hijack Execution Flow: KernelCallbackTable T1014: Rootkit T1562.001: Impair Defenses: Disable or Modify Tools
Additionally, researchers also observed that the Lazarus hacking group targeted the official Python package repository, PyPI, releasing four malicious packages: pycryptoenv, pycryptoconf, quasarlib, and swapmempool. These packages, similar in name to the legitimate encryption package pycrypto, were designed to exploit potential typos during installation. They contain encoded DLL files disguised as a test script. Once decoded, the encoded DLL file executes malware named Comebacker, which establishes connections with a command-and-control server. This technique mirrors previous Lazarus attacks, including one in January 2021 targeting security researchers. The malware is activated on the target machine through a Python script, ultimately executing the malicious payload. Comebacker sends HTTP POST requests to its command-and-control servers and receives Windows executable files in response. This attack aligns with Lazarus’ broader strategy of spreading malware across multiple package repositories.
In Q1 2024, the APT landscape showcased intensified efforts by Iranian, Russian, Chinese, and North Korean cyber actors. Iranian groups like Homeland Justice and Mint Sandstorm escalated their operations with sophisticated attacks on national and academic targets, while Russian entities such as Nobelium and Gamaredon honed their tactics against high-value corporate and military targets. Chinese threat actors, including Earth Lusca and Evasive Panda, leveraged geopolitical events to deploy advanced multi-stage malware, expanding their espionage footprint globally. Meanwhile, North Korean groups like Kimsuky and Lazarus demonstrated enhanced capabilities in multi-stage attacks, focussing on supply chain attacks and exploitation of zero-day vulnerabilities. This quarter’s activities emphasize the need for continuous enhancement of cybersecurity defenses and international collaboration to address the evolving threats posed by these adept state-sponsored actors.
