ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive.
China
Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.
Middle East
According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued to target a government entity in the Kurdistan region of Iraq. ESET claims that the observed coding capabilities of this group led them to believe that they could align with Iran, a "longtime rival" of Iraq. The group seems competent in their coding and have been seen leveraging well-written VBScript and PowerShell scripts in tools they've deployed on victim networks.
The group also breached a telecommunications provider in Uzbekistan with ESET describing the timing as "interesting" due to recent moves by Iran insisting rapprochement with Central Asia countries.
During the reporting period, ESET also saw POLONIUM, a cyber threat group seemingly aligned with Hezbollah's interests continue deploy exceptional Python-based backdoors and exfiltration tools on Israeli organizations' networks in the technology and social services sectors. In January, the group targeted several entities in the construction, manufacturing, and healthcare industries with an updated version of its Python backdoor. This updated tool encrypted payloads with some content being victim-dependent likely in order to obfuscate their exploit chain.
Iran
Unsurprisingly, researchers at ESET noticed an uptick in suspected Iranian activity following the terrorist attack on Israel on October 7th, 2023. These uptick seems to fall under two primary goals: access brokering and destructive operations. ESET notes in their report that while they observed an uptick in frequency, they also saw a slump in quality and impact of operations. This downturn in quality and a focus on destruction and access brokering likely leads to a decrease in cyber espionage. OilRig, in particular, has been described as "unusually quiet".
Ballistic Bobcat, aka PHOSPHORUS, Charming Kitten, APT35/42 is an Iranian-aligned cyber threat group and has been a consistent vendor of malware also saw a downtick in operational frequency in late 2023. During the reporting period, ESET researchers saw Ballistic Bobcat employing TTPs usually associated with MuddyWater; RATs, PowerShell scripts, and manual terminal execution of commands. ESET assesses in their report that many of the Iran-aligned groups have shifted their focus to aid destructive attacks on Israel.
See ESET's report for more Iranian activity including observations around wiper and ransomware operations.
North Korea
Groups aligning with the DPRK saw continued improvement of their tradecraft through either the development of new malware families or improving upon techniques that have previously led to success for North Korean APTs in the past.
Lazarus Group persisted in their targeting of aerospace and defense companies and appeared to increase their efforts into targeting the cryptocurrency industry by organizing heists and compromising devs that worked on crypto projects. In a Microsoft report, cryptocurrency stolen by North Korean-aligned APT groups was valued somewhere between $600 million and $1 billion in 2023.
ESET reports ScarCruft and Konni conducting spearphishing campaigns targeting citizens and organizations in South Korea. Konni also targeted Russian government employees in campaigns observed in December 2023.
The report highlights a drastic increase in campaigns using supply-chain compromises and trojan deployment. Microsoft uncovered a Lazarus campaign in November 2023 targeting Taiwanese multimedia software company, Cyberlink. The threat actors were able to breach the company and injected malicious code into its software build process.
ESET noticed a shift in TTPs towards the use of malicious LNK files. Kimsuky, ScarCruft, and Konni all began using similar LNK files with inflated sizes. PowerShell is noted as emerging as the favorite scripting language for NK threat actors with PowerShell commands being used to extract and decrypt payloads embedded in the LNK file where previously groups used CHM files to obtain their goals.
Russia
ESET's researchers constantly monitored Russian-aligned APT operations targeting Ukraine and supporting countries within the European Union. These actors relied heavily on spearphishing targeting a wide array of industries with the goal of initial access. Once access has been obtained, these groups used their access to exfiltrate credentials and deployed a variety of malicious payloads.
Russian-aligned APT groups have been observed sending spearphishing emails to a multitude of European government entities and attempting to leverage an Outlook vulnerability (CVE-2024-21413) since the end of February 2024.
In 2023, ESET researchers were able to detect unique backdoors dubbed LunarWeb and LunarMail used in the compromise of a European ministry of foreign affairs and its diplomatic missions. The backdoors shared a loader that leveraged the DNS domain name for payload decryption, shared code overlaps, and supported similar commands. While similar in those regards, the C2s used by the backdoors used different methods. LunarWeb used HTTP(S) and mimicked legitimate service traffic. LunarMail, on the other hand, piggybacked off of Outlook and communicated through email messages. Both backdoors hid data in images and documents and were both had the ability to execute Lua scripts. ESET claims that these backdoors have been in service since at least 2020, and perhaps earlier. Based on related past activity, ESET attributes this activity to Turla with medium confidence.
Gamaredon was observed as the most active Russian APT group operating in Ukraine. The group used spearphishing as its initial access vector with emails containing an XHTML file attachment, utilizing HTML smuggling, to deliver a ZIP archive containing a HTA file. The HTA file would download another HTA file that contained a VBScript downloader used for deploying malicious payloads.
Several versions of various downloaders written in PowerShell that ESET dubbed PteroPSLoad were observed during ESET's reporting period. PteroPSLoad was using the Cloudflare Tunnel client and ngrok utility for C2.
In December 2023, a major telecomm operator in Ukraine, Kyivstar, fell victim to a cyber attack by suspected Sandworm-affiliated or controlled hacktivist group SoIntSepek. The latter has amplified Sandworm's attacks and some open-source intelligence states the claim that the two groups may be one in the same.The following January, Sandworm was detected attempting to access a regional power supply company in Ukraine.
In March 2024, SoIntSepek announced operations targeting four internet providers in Ukraine, possibly leveraging the AcidPout Linux wiper for the goal of destruction and distraction.
---
ESET's report is a great, broad analysis of several state-sponsored APT group operations over the past few months. While this blog post is merely a summary of the ESET report, there are additional OSI sources referenced that will be linked below. There are plenty of other TTPs leveraged by state-sponsored actors not mentioned in this report and security practitioners should stay up to date on such trends by seeking out valuable, relevant cyber threat intelligence!
Comments
Post a Comment