Focus Mode
Trash

Monthly Threat Actor Group Intelligence Report, November 2024

admin
This article discusses the activities of 11 cybercrime groups operating in the online space in November. These groups engage in various malicious activities, including stealing financial information, spreading ransomware, and conducting phishing attacks. Affected Platform: Online environments

Keypoints :

  • 11 cybercrime groups identified: SectorJ09, SectorJ25, SectorJ39, SectorJ72, SectorJ85, SectorJ90, SectorJ109, SectorJ149, SectorJ165, SectorJ175, SectorJ191.
  • Groups target online information with monetary value and engage in ransomware distribution and extortion.
  • SectorJ09 executed a FormJacking attack to steal credit card information.
  • SectorJ25 utilized Docker containers to spread malware, including CryptoMiner.
  • SectorJ39 installed a malicious driver to control security processes on target systems.
  • SectorJ72 used DLL malware for remote control via Onion domain C2 server.
  • SectorJ82 conducted Typosquatting attacks to collect user credentials.
  • SectorJ90 sent phishing emails with malicious document attachments to execute JavaScript malware.
  • SectorJ109 created a phishing site masquerading as a legitimate software download site.
  • SectorJ149 sent phishing emails with CAB files containing VBS malware to download additional malicious code.
  • SectorJ165 downloaded bot malware and ransomware via downloader JavaScript.
  • SectorJ175 employed Dragonforce Ransomware for financial gain.
  • SectorJ191 spread CoinMiner and Proxyware malware targeting Microsoft SQL Server.

MITRE Techniques :

  • FormJacking (T1203): SectorJ09 inserted obfuscated JavaScript to steal financial information.
  • Command and Control (T1071): SectorJ72 used Onion domain for remote control of infected systems.
  • Credential Dumping (T1003): SectorJ82 collected user credentials through Typosquatting.
  • Malware Distribution (T1203): SectorJ90 executed JavaScript malware via phishing emails.
  • Phishing (T1566): SectorJ149 sent phishing emails with malicious attachments.
  • Remote Access Tools (T1219): SectorJ191 used Proxyware for remote control of systems.
  • Ransomware (T1486): SectorJ175 utilized Dragonforce Ransomware for extortion.

Indicator of Compromise :

  • [domain] onion[.]domain
  • [file name] malicious_document.doc
  • [file hash] VBS_file_hash
  • [ip address] 192.0.2.1
  • Check the article for all found IoCs.

Full Research: https://redalert.nshc.net/2025/01/08/monthly-threat-actor-group-intelligence-report-november-2024-kor/

Tags: PHISHING, TROJAN, CREDENTIAL, FINANCIAL, PROXY