The cases of major APT groups for December 2023 gathered from materials made public by security companies and institutions are as follows.

 

1) Andariel

The Korean police announced that the Andariel group attacked 14 targets in Korea including companies in the defense industry, IT security companies, research centers, and educational institutes, raising 470 million won (about $352,390) in profits.[1] 

Cisco Talos shared details on the Andariel group’s Operation Blacksmith campaign.[2] The group targeted manufacturing, agricultural, and physical security companies in South America and Europe by exploiting a Log4 vulnerability (CVE-2021-44228). HazyLoad, NineRAT, BottomLoader, and DLRAT malware were used in this campaign. NineRAT used a Telegram channel for command and control (C2) communications.

 

2) APT28

Proofpoint has been monitoring phishing attacks by APT28 (TA422) since March 2023.[3] The group launched attacks that exploit a privilege escalation vulnerability (CVE-2023-23397) in Microsoft Outlook and a remote code execution vulnerability (CVE-2023-38831) in WinRAR against education, government, manufacturing, and space aviation sectors of Europe and North America. In the late summer of 2023, emails from APT28 contained appointment attachments using Transport Neutral Encapsulation Format (TNEF) files. The TNEF files used fake file extensions and were disguised as CSV, Excel, or Word files. They included a UNC path that directs traffic to an SMB listener hosted from a Ubiquiti router that is likely compromised. The target’s password hash was obtained through the NTLM authentication.

IBM X-Force announced that the APT28 group has been leading a cyber espionage campaign leveraging the Israel-Hamas conflict.[4] The targets of the attacks were mainly countries including Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.

In December 2023, CERT-UA identified attacks against national organizations via email.[5] Additional malware and programs such as OpenSSH, STEELHOOK, and OCEANMAP were downloaded by the MASEPIE malware written in Python. Tools such as IMPACKET and SMBEXEC were installed from the initial stage to scan the network and make additional attack attempts. A remote code execution vulnerability (CVE-2023-38831) in WinRAR was used, with Headlace backdoor infections occurring in some of the attacks.

3) APT29

Fortinet’s IR team[6] and CERT Polska[7] announced that a group believed to be APT29 exploited a TeamCity vulnerability (CVE-2023-42793) to attack the medical manufacturing industry. The attack involved the use of a custom-built Python exploit script for the CVE-2023-42793 TeamCity vulnerability. The behavior of the malware used in post-exploitation matches the GraphicalProton malware used by APT29.

4) Calisto (Star Blizzard)

Microsoft and government organizations of the UK, US, Canada, Australia, and New Zealand announced that the Calisto (Star Blizzard) group is continuously focusing on email credential theft upon national defense policies related to diplomacy and Russia, research on international relations, support on Ukraine, etc.[8]

The Calisto group’s tactics to improve its detection evasion capabilities include the use of server-side scripts, email marketing platform services, a DNS provider, password-protected PDF files, links to PDF files hosted on cloud-based file sharing platforms, and a randomized domain generation algorithm (DGA).

The US and UK governments prosecuted two Russian nationals Ruslan Peretyatko and Andrey Korinets for active involvement in Calisto’s operation.[9] Sekoia released the personal information of Calisto group associates.[10]
 

 

5) Kasablanka

360 identified activities deemed to be attributable to Kasablanka.[11] This group launched attacks against the Nagorno-Karabakh region, which is a region of territorial conflict between Azerbaijan and Armenia.

The group distributed VenomRAT malware and attacked the targets using a multi-stage sending mechanism, obfuscation tactic, and strategic social engineering. The threat actor modified AmsiScanBuffer() in AMSI.dll to bypass AMSI, and modified EtwEventWrite() in ntdll.dll to deactivate Event Tracing for Windows (ETW).

 

---

[1] https://www.smpa.go.kr/user/nd42986.do?View&uQ=&pageST=SUBJECT&pageSV=&imsi=imsi&page=1&pageSC=SORT_ORDER&pageSO=DESC&dmlType=&boardNo=00300907&returnUrl=https://www.smpa.go.kr:443/user/nd4

[2] https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

[1] https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

[4] https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/

[5] https://cert.gov.ua/article/6276894

[6] https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

[7] https://cert.pl/en/posts/2023/12/apt29-teamcity

[8] https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/

[9] https://home.treasury.gov/news/press-releases/jy1962

[10] https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/

[11] https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247494512&idx=1&sn=151caeb7b46c3a6a58af714a576a8442