The cases of major APT groups for May 2024 gathered from materials made public by security companies and institutions are as follows.

 

1.    Andariel

 

AhnLab SEcurity intelligence Center (ASEC) has been sharing Andariel group’s various attack cases against Korea.[1] 

The Nestdoor backdoor that the Andariel group had used in past attacks was detected again. Nestdoor is malware developed in C++, providing features such as file uploading/downloading, reverse shell, and command execution. The recently detected Nestdoor had a different C&C communication command number with some features removed. 

The newly discovered Dora RAT was developed in Golang and supports reverse shell as well as file downloading and uploading features. Dora RAT comes in two types: an independent executable file format and another that is injected into the explorer. The threat actor even signed the malware with a valid certificate. 

A keylogger and malware that steals clipboard contents were additionally installed, and a stealer that steals files in the system was also used. The type of proxy tools used in the attacks were similar to the open-source Socks5 proxy tool. 

There were also attack cases using SmallTiger malware against Korean defense, automobile parts, and semiconductor manufacturing companies.[2] While the initial compromise process was not identified, the threat actor distributed SmallTiger within the company during the lateral movement process. 

This attack was first detected in November 2023, and an examination of the malware discovered in the targeted systems revealed that it resembled a typical attack by the Kimsuky group. However, the difference from the Kimsuky group’s usual attack methods is that the company’s software update program was abused during the internal propagation. It is also notable that the backdoor installed in the end was DurianBeacon, which was identified in a past attack case by the Andariel group. The same threat actor resumed attacks in February 2024, and the malware distributed in the end was also changed to a downloader which the threat actor named SmallTiger. 

In May 2024, evidence of an attack using K-System from YoungLimOne Softlab, an ERP solution, was found.[3] The infection appears to have occurred through the K-System update server. As a result, systems were infected with the Xctdoor backdoor developed in Golang. 

Cisco Talos released information on the LilacSquid group that has been launching attacks against various industries including IT companies in the US, the energy sector of Europe, and Asia’s pharmaceutical field since 2021.[4] The group exploited a known vulnerability in an application server and exfiltrated RDP account credentials. The threat actor usually controls the infected system using MeshAgent and PurpleInk, a customized version of QuasarRAT. Many tactics, techniques, and procedures (TTP) of this attack are similar to those of the Andariel group.

 

2.    APT28

 

CERT Polska (CSIRT NASK) and the CSIRT MON team announced that the APT28 group, believed to have ties with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), attacked a Polish government organization.[5] 

The attack began with a phishing email with compelling material that lures the recipient to click the provided link. The link within the email redirects to run.mocky.io which is a free service used by developers to create and test APIs, and then a ZIP file containing image files is downloaded. 

The compressed ZIP file contains a legitimate Windows calculator for DLL side loading, malicious DLL, and a BAT file. When the user clicks the EXE file mistaking it for an image file, WindowsCodecs.dll, a malicious DLL file is loaded, and the BAT file is executed. The BAT file executes the Microsoft Edge browser and loads a page encoded in Base64 from webhook.site. The final script that is executed collects information from the infected computer and sends it to the command and control (C&C) server. 

Recorded Future Insikt Group recently identified APT28 conducting a multi-stage espionage campaign against major European networks.[6] The group targeted Yahoo and UKR.net users and exclusive email server users. It mainly targeted the Ukrainian Ministry of Defense, a European railway infrastructure company, and an Azerbaijan think tank. It abused services such as GitHub, Mocky, and InfinityFree to distribute the Headlace malware. The group bypassed 2FA using an account credential theft page and legitimate services and routers. It also hosted a redirection script using GitHub and InfinityFree.

 

3.    APT31

 

Inter-Parliamentary Alliance on China (IPAC) announced that six Australian senators and six members of the House of Representatives became targets of the APT31 group which is believed to be sponsored by the Chinese government.[7] 

Starting in 2021, APT31 has sent attack emails to congress email addresses of Australian congressmen and senators from a domain disguised as a news outlet. While the Australian intelligence agency and the FBI alerted the Australian government about this, the Australian government decided to not alert the congressmen. 

The 20 Australian congressmen who are a part of IPAC only came into knowledge of the attack attempt when the US Department of Justice announced the prosecution of seven Chinese hackers in April 2024. Following this, the congressmen requested an explanation from the Australian government for why they were not alerted.

 

4.    APT42

 

Google Mandiant announced that the APT42 group, which is believed to have ties with Iran, has been expanding a campaign involving complex social engineering techniques and malware against various organizations and individuals in the Western and Middle Eastern regions.[8] 

The group gained the trust of reporters, researchers, NGO leaders, human rights activists, and individuals deemed threats to the Iran administration by sending phishing emails posing as reporters, event hosts, and legitimate services, and then collected account credentials for Microsoft, Yahoo, and Google. The collected account credentials were used to access the victim’s networks, particularly cloud environments, and strategically important data gets leaked. 

The group distributed customized backdoors such as NICECURL and TAMECAT to gain initial access and exfiltrate sensitive data. APT42 also made use of defense evasion techniques, such as using default features in cloud environments, deleting browser records, and using anonymous infrastructures to interact with the victim’s network.

 

---

[1] https://asec.ahnlab.com/en/66088/

[2] https://asec.ahnlab.com/en/66546/

[3] https://atip.ahnlab.com/intelligence/view?id=97d2a40c-7600-4c58-9d5a-e84da811cb39

[4] https://blog.talosintelligence.com/lilacsquid/

[5] https://cert.pl/en/posts/2024/05/apt28-campaign

[6] https://www.recordedfuture.com/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp

[7] https://twitter.com/ipacglobal/status/1787252282716770360

[8] https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations?hl=en