Monthly Threat Actor Group Intelligence Report, November 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from October 21 to November 20, 2019.

1. SectorA Activity Features

A total of five hacking groups, SectorA01, SectorA02, SectorA03, SectorA04 and SectorA05 groups were discovered among SectorA groups this November. SectorA01 group’s hacking activity was found in areas including the United Kingdom, South Korea, India, Ukraine, Singapore, Italy and Netherlands. SectorA02 group’s hacking activity was found in areas including the United States, South Korea, India and Japan. SectorA03 group’s hacking activity was found in areas including the United Kingdom, Hong Kong, United States, China and Singapore. SectorA04 group’s hacking activity was found in areas including Finland, Israel, India, South Korea, Thailand, United States, Russia, Japan and Philippines. Hacking activity of the SectorA05 group was found in Ukraine and South Korea.

The SectorA01 group used a spear phishing email with a malicious Microsoft Word document attached. The malicious document contains a macro script that generates a DLL using Base64 encoded data at the end of the document.

The SectorA02 group used malware in the Hangul (HWP) file format written with various themes such as presidential election announcements, resumes, and cryptocurrency in spear phishing emails. Hangul malware used for hacking is the same as those found previously, and the embedded EPS (Encapsulated Postscript) object performs malicious functions when executed.

The SectorA03 group created decoy files with the theme of New Year’s greetings, holidays related to South Korea, news articles or images related to South Korea and North Korea. They used spear phishing emails with malware disguised as images, documents, and screensaver files. When the malware is executed, the normal images or documents are displayed, and the payload stored in the resource section of the file gets executed.

The SectorA04 group targeting the Kudankulam Nuclear Power Plant (KKNPP) located in India used the DTrack malware for the purpose of collecting information. The plant-related IP and account information was hard coded in the malware.

The SectorA05 group consistently used spear phishing emails with malware in the form of Korean files for attacks. The malware found in this activity was disguised as discussion document.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of two hacking groups SectorB08 and SectorB22 were discovered among SectorB groups this November. SectorB08 group’s hacking activity was found in areas including the United Kingdom and Vietnam. Hacking activity of the SectorB22 group was found in Cambodia, Ukraine, Vietnam, Tibet, Germany, Peru, Philippines, Turkey, South Korea, United States and Japan.

The SectorB08 group targeted technology companies using an open source backdoor called “PcShare”.

The SectorB22 group used spear phishing attacks using malicious documents and macro scripts.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups SectorC01, SectorC06 and SectorC08 were discovered among SectorC groups this November. SectorC01 group’s hacking activity was found in areas including Kazakhstan. SectorC06 group’s hacking activity was found in areas including China, Kazakhstan and Netherlands. SectorC08 group’s hacking activity was found in areas including Italy, Bulgaria, United States and Ukraine.

The SectorC01 group used a spear phishing email with a Microsoft Word file attached. The malicious document was distributed to target large mining companies in Kazakhstan.

The SectorC06 group used past news article that Telegram could be banned in Kazakhstan as bait. This malware used is similar to the malware discovered in the past, which allowed remote access to infected computers. In this hacking activity, malware in the form of compressed files, and executables disguised with document file icons was found.

The SectorC08 group used spear phishing emails with malware in the form of Microsoft Word files. These files used Remote Template Injection.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the government agencies supporting SectorC.

4. SectorD Activity Features

A total of one hacking group, SectorD02, was discovered among SectorD groups this November. SectorD02 group’s hacking activity was found in areas including the United States, Iraq, China, South Korea, Canada, Iran and Kenya.

The Sector D02 group used Microsoft Excel file format malware with a password attached to a spear phishing email. This malware download the encoded JavaScript code that was being hosted on the hacked website. The JavaScript code would get downloaded, run as a subprocess through the “Wscript.exe” with modified file names. This hacking activity is similar as the one found last October.

SectorD groups conducted hacking activities targeting countries that are related to political rivals of SectorD. Their purpose is to collect high-level information such as political and diplomatic activities of people or nations opposed to the SectorD government.

5. SectorE Activity Features

A total of four hacking groups SectorE01, SectorE02, SectorE04 and SectorE05 were discovered among SectorE groups this November. SectorE01 group’s hacking activity was found in areas including China, Pakistan and Czechia. SectorE02 group’s hacking activity was found in areas including the Turkey, Turkmenistan, United Kingdom, France, and United States. SectorE04 group’s hacking activity was found in areas including Germany, Pakistan, China and Russia. SectorE05 group’s hacking activity was found in areas including the Pakistan, Iceland, Japan, Netherlands, India, Moldova, Germany, Luxembourg, United States, United Kingdom and China.

The SectorE01 group used spear phishing emails with malware in the form of Microsoft Word files. The malware contained a file in the Flash element of the document file, exploiting the CVE-2017-0261 vulnerability.

The SectorE02 group used a spear phishing email with an RTF file written in Greek attached, which was created with the CVE-2017-11882 vulnerability.

The SectorE04 group used a malware in the form of a Microsoft Word files containing a list of terrorist organizations. As before, the CVE-2017-11882 vulnerability was used in the malware.

The SectorE05 group used Remote Template Injection to download and execute malware from a specific server.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded their activity to East Asia and other regions, including China, as their activities to obtain high-level information on politics, diplomacy and technology of other countries increased.

6. SectorF Activity Features

The SectorF01 group was discovered among SectorF groups this November. SectorF01 group’s hacking activity was found in areas including Vietnam.

Similar to past activities, the SectorF01 group used RAR archives, and the archives included two files: a DLL file and an EXE file that had icons disguised as icons from Microsoft Word.

The executable file automatically loads the DLL file included in the RAR archive because of DLL Side Loading.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their country’s economic development.

7. SectorH Activity Features

The SectorH03 group was discovered among SectorH groups this November. SectorH03 group’s hacking activity was found in areas including India.

The SectorH03 group used malware in the form of Microsoft Excel file named “Social_Calendar.xls”. Malicious Excel files use macro scripts to generate compressed files using data located at the end of the file. The file is decompressed to generate and execute other malware on the infected computer.

The hacking activities of the SectorH group include hacking activity for both cybercrime and government support purposes. As diplomatic friction with neighboring continues increase, activities to gather high-level military and political information from them will also continue.

8. SectorL Activity Features

A total of one hacking group, SectorL01 was discovered among the SectorL groups this November. SectorL01 group’s hacking activity was found in areas including the United Kingdom.

The SectorL01 group used malware that creates a file which decodes its dynamically called API function names via a simple 1 byte XOR decoding function.

The SectorL group aims to gather high-level information including political, diplomatic and military activities in countries nearby. However, recently there has been an increasing share of activities to obtain high-level information on politics, diplomacy and technology of countries nearby.

9. SectorP Activity Features

A total of one hacking group, SectorP03 were discovered among the SectorP groups this November. The SectorP03 group’s hacking activity was found in areas including Russia, Germany, United Kingdom and United Arab Emirates.

The SectorP03 group used malware in the form of a document file. The malware contained content related to the Palestine elections.

The hacking activity of the SectorP group were directed against dissidents who oppose political activity by certain governments. The SectorP group aims to gather high-level information including political, diplomatic and military activities of persons or country against their government.

10. Cyber Crime Activity Features

A total of four cybercrime groups, SectorJ01, SectorJ03, SectorJ04 and SectorJ09 were discovered this November. The SectorJ01 group’s activity was found in areas including Portugal, Austria, Germany, Italy and South Korea. The SectorJ03 group’s activity was found in areas including the United States and China. The SectorJ04 group’s activity was found in areas including the United Arab Emirates, South Korea, Canada, Malaysia and China. The SectorJ09 group’s activity was found in areas including France, Czechia, Israel and United States.

The SectorJ01 group used spam emails with malware in the form of document file.

The SectorJ03 group used RARSFX files for infection. When opening the RARSFX file, both the malicious executable and document files compressed in RARSFX are run. The document file was disguised as news from a Pakistani news and entertainment TV network.

The SectorJ04 group used spam emails with malware targeting South Korea. The malware in the form of document files were disguised as contents of pay stubs and quotations, commonly including malicious macro scripts.

The SectorJ09 group inserted skimming codes on several online store sites, which are designed to steal user’s payment and personally identifiable information (PII).

The hacking activities of these groups, unlike other government-sponsored hacking groups, target valuable online information. They hacked specific companies and organizations then deploy Ransomware on their internal networks or threaten them to demand monetary payments after stealing important industry secrets.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.