Threat Trend Report on APT Groups – February 2024 Major Issues on APT Groups
The cases of major APT groups for February 2024 gathered from materials made public by security companies and institutions are as follows.
1) APT28
In January 2024, the United States government said it had shut down a botnet from the APT28 group suspected to be operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) in a court-authorized operation called Operation Dying Ember.[1]
The APT28 group used the Moobot malware to construct the botnet. The botnet was capable of displaying the physical location of information collection targets, collecting credentials and NT LAN Manager (NTLM) v2 hashes through customized scripts, and hosting spear phishing landing pages and other customized tools for brute force password cracking.
The spear phishing campaigns waged by the hacking group also used a zero-day vulnerability in Outlook (CVE-2023-23397) to steal login credentials and send them to the router.
2) Earth Lusca
Trend Micro revealed in its publication that the Earth Lusca group used the issue of China-Taiwan relations to attack.[2]
The attacker sent an attacking email using social engineering related to China-Taiwan relations with the file name China_s gray zone warfare against Taiwan.7z. Within the 7z file was a folder containing Windows shortcut files and a __MACOS subfolder that hid malware.
Noteworthy is the connection to Chinese company i-Soon. In mid-February 2024, internal information of i-Soon, which worked with Chinese law enforcement agencies and government agencies to produce programs related to hacking, was leaked and published on GitHub.[3] The victims of the leaked data, malware and tools, including its location in Chengdu City in Sichuan Province in China, match the information about the Earth Lusca group.
3) FlameSnake (APT-C-52)
360 revealed in a publication that the FlameSnake (APT-C-52) group has been carrying out attacks against Pakistan since 2021.[4]
The primary target of the FlameSnake group is Pakistan, and the leaked data are mostly notification messages but also include photos, documents, contact lists, messages, and call logs.
The group used Facebook to obtain the contacts of the attack targets and spread the download address of the malicious application through social media, such as WhatsApp and SMS. Through this, they induced the attack targets to install and use the malicious applications, infecting them with malware and stealing sensitive information, including as personal data.
They attempted to obtain military intelligence through the information of the victims and analyzed the information by translating major documents with Google Lens.
The attack was carried out by imitating the Yoohoo chat app developed by Opus Labs Works. It used Firebase authentication for SMS authentication and stored user data in Firebase Storage.
The L3MON open source remote control tool was used to steal contact lists, call logs, messages, notification messages, installed application lists, and more, as well as files with specific file extensions and chat history from WhatsApp, WhatsAppBusiness, and Signal.
The attack code is managed using the ChatApp remote repository on GitHub.
4) Gamaredon (Shuckworm)
Securonix confirmed a cyberattack against Ukrainian soldiers that appears to be the handiwork of the Gamaredon (Shuckworm) group.[5]
It uses a new PowerShell-based backdoor called “SUBTLE-PAWS” that propagates via USB drives. The attack was carried out through phishing emails that referenced Ukrainian cities and military terminology. In the initial stage, victims click on a shortcut file with a name like “ODESSA.lnk” or “LUGANSK.lnk” to start executing the PowerShell backdoor. This backdoor, called “SUBTLE-PAWS,” is delivered through a file with a name like “finance.bin.”
The SUBTLE-PAWS PowerShell script performs a number of tasks, including generating a unique machine identifier, establishing persistence through registry values, and communicating with the Command and Control (C2) server.
The backdoor includes the ability to execute dynamically, create shortcuts, run commands on the host, and perform horizontal redirection via a USB drive.
The C2 server is dynamically discovered using a Telegraph URL, allowing attackers to change the working connection address in real time. If the script fails to communicate with the C2 server through HTTPS, it is forced to remove itself.
[1] https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[2] https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html
[3] https://atip.ahnlab.com/intelligence/view?id=f98c0c29-f72a-4960-9733-852d9eca114e
[4] https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247493844&idx=1&sn=c0f7fb39db6a01860503675e42c89c06
[5] https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/
