Monthly Threat Actor Group Intelligence Report, December 2024 (kor) – Red Alert
Category
This article discusses the activities of ten hacking groups observed in December, focusing on their financial exploitation methods through ransomware, data theft, and phishing attacks. Affected: SectorJ09, SectorJ14, SectorJ25, SectorJ39, SectorJ47, SectorJ93, SectorJ115, SectorJ135, SectorJ149, SectorJ194

Keypoints :

  • Ten hacking groups identified in December include SectorJ09, SectorJ14, SectorJ25, SectorJ39, SectorJ47, SectorJ93, SectorJ115, SectorJ135, SectorJ149, and SectorJ194.
  • These groups focus on profit-making through theft of valuable online information and deploying ransomware on targeted organizations.
  • SectorJ09 executed formjacking attacks using skimming scripts on e-commerce payment pages.
  • SectorJ14 conducted phishing via SMS redirecting victims to fake Apple login pages.
  • SectorJ25 distributed obfuscated shell scripts for downloading additional malware on target systems.
  • SectorJ39 set up phishing websites and utilized exploits to deploy RomCom backdoor malware.
  • SectorJ47 used Windows shortcut files to download malicious files from external servers.
  • SectorJ93 sent phishing emails with compressed files containing HTA scripts to control victim systems remotely.
  • SectorJ115 targeted Linux servers and spread malware utilizing OpenSSL vulnerabilities.
  • SectorJ135 lured victims with resumes leading to downloads of malicious files that setup backdoors.
  • SectorJ149 deployed Windows shortcuts executing PowerShell commands to download remote access malware.
  • SectorJ194 used phishing emails to trick victims into executing harmful commands leading to backdoor installations.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Used to communicate with command and control (C2) servers via web sockets.
  • T1070.001 – Indicator Removal on Host: Obfuscation techniques were employed to evade detection through shell scripts.
  • T1499 – Endpoint Denial of Service: Indirectly performed through widespread system infections draining system resources.
  • T1046 – Network Service Discovery: Analyzed network access through external malicious commands.
  • T1105 – Remote File Copy: Downloaded additional malicious files from external servers.
  • T1059.001 – PowerShell: Utilized PowerShell commands embedded in Windows shortcuts for executing remote installations.
  • T1203 – Exploitation for Client Execution: Leveraged software vulnerabilities in OpenSSL and browsers to deliver malware.
  • T1071 – Application Layer Protocol: Again used for communication between compromised systems and C2 servers.

Full Story: https://redalert.nshc.net/2025/02/06/monthly-threat-actor-group-intelligence-report-december-2024-kor/