1)   APT28

 

Trend Micro revealed that the APT28 (Forest Blizzard, Pawn Storm) group executed NetNTLMv2 hash relay attacks exploiting the Outlook vulnerability (CVE-2023-23397) from April 2022 to November 2023 across various regions worldwide.¹ 

The group targeted diplomatic, energy, national defense, transportation, labor, social welfare, financial, local council, central bank, court, national military, and fire department entities using compromised email accounts in the Middle East and Asia.

In November and December 2023, credential phishing attacks targeting European overnments started. These attacks are believed to be associated with the previous NetNTLMv2 hash relay attacks.

 

2)   Blackwood

 

ESET discovered a new APT group called Blackwood engaging in cyber espionage activities targeting individuals and businesses in China, Japan, and the UK.² 

This group has been identified as active since at least 2018, and their attacks involve intercepting update requests from legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin.

The NSPX30 utilized in the attacks performed Adversary in the Middle (AitM) to intercept the update requests. The threat group intercepted unencrypted HTTP traffic during software updates to deploy NSPX30 network implants, their aim being to hide their infrastructure and add a whitelist to Chinese malware response solutions through packet interference.

The NSPX30 implant consists of multiple components, including a dropper, installer, loader, orchestrator, and backdoor. The NSPX30 implant is speculated to have originated from the backdoor of the 2005 “Project Wood”. 

Blackwood enables hiding the C&C infrastructure location, with researchers suspecting the use of network implants on routers or gateways to facilitate AitM.

AhnLab confirmed that a variation of the malware used by the Blackwood group was active in the Korean region in 2021.

This information was presented at JSAC 2024.³

 

3)   Callisto (ColdRiver, Star Blizzard)

 

Google Threat Analysis Group (TAG) disclosed the activities of the Callisto (ColdRiver, UNC4057, Star Blizzard) group targeting NGOs, former intelligence and military administrators, and NATO officials.⁴

The threat group often used accounts impersonating experts or targets related to specific fields. The group would initially send a password-protected PDF file, and if the recipient responds saying they cannot read the document, the threat actors would send a SPICA backdoor disguised as a password decryption utility.

The SPICA backdoor is written in Rust and utilizes JSON via WebSockets for command and control (C2). 

It includes features such as executing shell commands, stealing web browser information, uploading and downloading files, searching file system contents, and extracting documents.

 

4)   Charming Kitten (Mint Sandstorm)

 

Microsoft announced that the Charming Kitten (APT35, Mint Sandstorm, PHOSPHORUS) group, associated with the Islamic Revolutionary Guard Corps (IRGC) of Iran, is conducting attacks targeting high-ranking officials in Belgium, France, the Gaza Strip, Israel, the United Kingdom, and the United States.⁵

The group impersonated notable figures, including journalists from news outlets, to solicit opinions from targets regarding an article related to the Israel-Hamas conflict. After gaining trust, they employed a tactic wherein they would send a malicious email if the target agreed to review the article or document.

The RAR file, which they send under the guise of a review, contains a malicious LNK file. This leads to the download of various files. 

The information collected from the infected system was recorded in the documentLoger.txt file.

The MischiefTut and MediaPI malware were utilized in the attacks.

 

5)   Kimsuky

 

Sangfor Qianlimu Security Technology Center disclosed an attack case involving the Kimsuky group utilizing LNK files.⁶

The names of the LNK files are related to the digital currency/financial sector, indicating a possibility that personnel in the related fields were targeted. The LNK files download and execute a second-stage payload named “ps.bin” via PowerShell commands, and the subsequent payload “r_enc.bin” is the Tutclient remote control component. 

QiAnXin Threat Intelligence Center discovered a sample of a secret theft attack disguised as a product installation program of the South Korean software company SGA. 7 The setup program secretly executes a malicious DLL file. The malicious DLL is written in Go language. It collects various information from infected devices, sends it back to the threat actors, and erases traces of the attack.

 

---

[1] https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html

[2] https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

[3] https://jsac.jpcert.or.jp/en/timetable.html

[4] https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

[5] https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

[6] https://mp.weixin.qq.com/s?__biz=Mzg2NjgzNjA5NQ==&mid=2247522061&idx=1&sn=22e56ee213d9e5229371ad3e082ebfab

[7] https://zhuanlan.zhihu.com/p/680534132