Threat Trend Report on APT Groups – April 2024 Major Issues on APT Groups
The cases of major APT groups for April 2024 gathered from materials made public by security companies and institutions are as follows.
1) APT28 (Forest Blizzard)
Microsoft Threat Intelligence released the results of the investigation on the activities of APT28, a Russia-based threat actor.[1]
This group has been exploiting a Windows Print Spooler vulnerability (Elevation of Privilege, CVE-2022-38028) and a Microsoft Outlook vulnerability (CVE-2023-23397) for attacks since June 2020 (since April 2019 at the earliest).
After attaining the elevation of privilege in the target system, the threat actor used GooseEgg to steal account credentials and information.
2) BlackTech (Earth Hundun)
Trend Micro shared information on the activities of the BlackTech group active in the Asia-Pacific region.[2] This group used malware such as Waterbear and Deuterbear against government organizations and tech companies.
Since 2009, there have been more than 10 versions of Waterbear that use various evasion and anti-analysis techniques. The recent version of Waterbear employs obfuscation and loading techniques, which include DLL side-loading and a user-defined decryption routine. The downloader uses techniques such as anti-memory scanning and encryption to bypass security products.
Deuterbear, first found in 2022, is an improved version of the Waterbear malware. As it has a few changes including anti-memory scanning and the password decryption routine, it is classified as different malware from Waterbear.
3) Earth Freybug
Trend Micro discovered the Earth Freybug group using the Unapimon malware.[3] Earth Freybug is believed to be a subsidiary of the APT41 group.
Its recent activities involved injecting a code into vmtoolsd.exe, the VMware process, allowing the file cc.bat to be executed as a scheduled task. The file cc.bat collects system information and saves the results in a text file. The second cc.bat copies the previously dropped file to %System%\TSMSISrv.DLL and manipulates the SessionEnv service to load this.
Unapimon uses the technique of evading detection and monitoring via API unhooking.
4) Kimsuky
Proofpoint announced that since December 2023, the Kimsuky group has been using the Domain-based Message Authentication Reporting and Conformance (DMARC) policy to impersonate various figures.[4][5]
The phishing campaign focuses on requesting opinions on topics such as nuclear decommissioning, Korea-US policies, and sanctions. The group provides each victim customized bait content and often requests such opinions via email or official research papers.
It usually impersonated individuals from think tanks including well-known organizations such as the Timson Center and Atlantic Council, as well as NGOs. The group included a web beacon in the mail for initial reconnaissance. The web beacon was used to collect basic information such as email account activation.
Genians Security Center (GSC) found that the Kimsuky group have been using a multi-level attack chain to evade security products.[6] This group has been employing a tactic of evading detection using Dropbox, a legitimate cloud service.
5) Lazarus
Avast discovered a cyberattack led by the Lazarus group in the summer of 2023.[7] This attack was launched against individuals in certain Asian regions using fake job offers, and the threat actors put effort into evading existing security measures.
The attack began with the Lazarus group contacting the target using social engineering tactics. The fake job offer was disguised as a legitimate opportunity and served as bait for initiating communication. The threat actors lured their victims using LinkedIn, WhatsApp, and email services to transmit malicious ISO files.
These ISO files were designed to use Windows’s auto-mount feature, making it easy for the malicious code to be executed. When the victim executes the malicious AmazonVNC.exe, the corresponding loader and malicious DLL are executed. The RollFling loader included in the ISO decrypts and executes the KaolinRAT malware.
KaolinRAT establishes a secure communication channel with the C&C server and can execute various commands; thus, it was used for data leaks and remote control. Across the attack chain as a whole, the Lazarus group used various evasion techniques such as encryption, compression, and steganography to conceal their activities and bypass security measures.
6) MuddyWater
Harfanglab announced that the MuddyWater group, a group believed to be supported by Iran, is using a legitimate remote monitoring and management (RMM) tool to attack airlines, IT, communication, pharmaceutical, car manufacturing, logistics, travel/tourism, recruitment companies, immigration agencies, and small-scale corporation in Israel, India, Algeria, Türkiye, Italy, and Egypt.[8]
The MuddyWater group uses remote monitoring and management (RMM) tools such as ScreenConnect, Syncro, SimpleHelp, RemoteUtilies, and Atera Agent in their attacks.
MuddyWater delivered a link to the Atera Agent installer through spear phishing emails. It used the free trial version of Atera and used a hacked email account for user registration. As the Atera platform provides remote control features, the threat actor does not need to configure a separate C2 infrastructure.
[1] https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
[2] https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html
[3] https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
[4] https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering
[5] https://www.ic3.gov/Media/News/2024/240502.pdf
[6] https://www.genians.co.kr/blog/threat_intelligence/dropbox
[7] https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
[8] https://harfanglab.io/en/insidethelab/muddywater-rmm-campaign/
