APT Quarterly Highlights: Third Quarter 2024

Q3 2024 saw intensified cyber operations from APT groups across China, North Korea, Iran, Russia, targeting critical infrastructure, government, and diplomatic networks with increasingly sophisticated tools and methods. The report calls for ongoing vigilance, user education, and timely software updates to counter evolving threats. #VelvetAnt #EarthBaku #MuddyWater #Kimsuky #Lazarus #PioneerKitten #ShadowPad

Keypoints

Velvet Ant exploited a Cisco Nexus zero-day (CVE-2024-20399) to deploy VELVETSHELL and load backdoors, indicating advanced network-device compromise.
MuddyWater (Iran) expanded phishing and custom malware campaigns (BugSleep) across the Middle East, blending espionage with social engineering.
Apt34 and other Iranian actors used DNS tunneling and sophisticated C2 channels (e.g., Spearal) to evade detection and exfiltrate data.
APT29/APT28 (Russia) conducted zero-day-driven operations against iOS and Chrome via watering holes and modular malware to compromise diplomatic/government networks.
North Korean groups (Kimsuky, Lazarus, and UNC2970) intensified espionage against Korean, Russian, and academic sectors, deploying a mix of spear-phishing, backdoors, and cloud/HTTP C2.
Rising activity includes cross-actor use of DLL side-loading, DLL hijacking, and other defense-evasion techniques to maintain persistence and evade detection.

MITRE Techniques

[T1071] Application Layer Protocol – SneakCross uses Google services for C&C communication. Quote: “…uses Google services for command-and-control (C&C) communication…”
[T1095] Non-Application Layer Protocol – Spearal communicates via DNS tunneling with Base32 encoding. Quote: “…DNS tunneling using Base32 encoding…”
[T1573] Encrypted Channel – C2 communications progressively use encrypted channels. Quote: “…Encrypted Channel”…
[T1630.002] Indicator Removal on Host: File Deletion – Defense evasion through removing traces on the host. Quote: “…Indicator Removal on Host: File Deletion”…
[T1421] System Network Connections Discovery – Campaigns included discovery of network connections. Quote: “…System Network Connections Discovery”…
[T1430] Location Tracking – Location data gathering during campaigns. Quote: “…Location Tracking”…
[T1053] Scheduled Task/Job – Persistence via scheduled tasks. Quote: “…Scheduled Task/Job”…
[T1027] Obfuscated Files or Information – Obfuscation to hide payloads. Quote: “…Obfuscated Files or Information”…
[T1129] Shared Modules – Execution through modular components. Quote: “…Shared Modules”…
[T1218] System Binary Proxy Execution – Use of system proxy/executable proxies to run payloads. Quote: “…System Binary Proxy Execution”…
[T1082] System Information Discovery – Collecting system data during intrusions. Quote: “…System Information Discovery”…
[T1518] Software Discovery – Discovery of security software and other software on hosts. Quote: “…Security Software Discovery”…
[T1010] Application Window Discovery – Identifying application windows during lateral movement. Quote: “…Application Window Discovery”…
[T1056] Input Capture – Credential and data capture from user input. Quote: “…Input Capture”…
[T1056.001] (Note: variation cited as Input Capture in multiple contexts) – Capture keystrokes and input during campaigns. Quote: “…Input Capture”…
[T1112] Modify Registry – Registry changes to maintain persistence. Quote: “…Modify Registry”…
[T1497] Virtualization/Sandbox Evasion – Avoiding sandbox detection. Quote: “…Virtualization/Sandbox Evasion”…
[T1562] Impair Defenses – Actions to disable/modify security tools. Quote: “…Impair Defenses”…
[T1562.001] Disable or Modify Tools – Specific tool disabling. Quote: “…Disable or Modify Tools”…
[T1564] Hide Artifacts – Conceal artifacts and traces. Quote: “…Hide Artifacts”…
[T1574] Hijack Execution Flow – DLL side-loading and other manipulation to persist. Quote: “…Hijack Execution Flow”…
[T1574.002] Hijack Execution Flow: DLL Side-Loading – DLL side-loading techniques for persistence. Quote: “…DLL Side-Loading”…
[T1083] File and Directory Discovery – Locating files during exfiltration. Quote: “…File and Directory Discovery”…
[T1068] Exploitation for Privilege Escalation – Elevating privileges through exploitation. Quote: “…Exploitation for Privilege Escalation”…
[T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell-based execution variants used by some campaigns. Quote: “…Command and Scripting Interpreter: PowerShell”…
[T1106] Native API – Low-level API usage for execution. Quote: “…Native API”…
[T1049] System Network Connections Discovery – Mapping network connections for data exfiltration. Quote: “…System Network Connections Discovery”…
[T1071.001] Application Layer Protocol: Web Protocols – Use of common web protocols for C2. Quote: “…Application Layer Protocol”…

Indicators of Compromise

[Domain] Webhook.site – Used to host malicious content during campaigns. – Example: Webhook.site
[Domain] Voyagorclub.space – Exploit-domain used in Operation Dream Job related activity. – Example: voyagorclub.space
[Domain] Gov-iq.net – Compromised gov-iq.net email accounts used to issue commands and transfer files. – Example: gov-iq.net
[Domain] Graph.microsoft.com – Microsoft Graph URLs used for C2 communications. – Example: graph.microsoft.com
[Domain] Dropbox.com – Exfiltration to legitimate cloud storage. – Example: Dropbox (Dropbox.com)
[IP] 450 IP addresses – Linked to GuardZoo victims. – Example: 450 IP addresses linked to victims
[File] Avamer.pdf.exe – Double-extension lure used in APT34 campaigns. – Example: Avamer.pdf.exe
[File] Protocol.pdf.exe – Double-extension lure used in APT34 campaigns. – Example: Protocol.pdf.exe
[File] Startcode.bat – Persistence script cited in Stately Taurus activity. – Example: startcode.bat
[File] TEARPAGE – Loader used by UNC2970/MISTPEN chain. – Example: TEARPAGE
[File] TEARPAGE loads MISTPEN – Loader chain described in UNC2970 section. – Example: TEARPAGE, MISTPEN

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print