Full Report
The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in October 2024. 1. Andariel Symantec’s Threat Hunter Team has found evidence that the Andariel group is launching financially motivated attacks against companies in the United States. The group has […] 게시물 APT Group Trends in October 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
The provided article describes multiple threat actors. I will summarize each one separately, as requested by the context of analyzing specific actors.
---
# Threat Actor: Andariel
## Attribution & Identity
Attributed to North Korea (referenced by connection to North Korean hacker group expansion). Continues activity despite U.S. Department of Justice indictment in July 2024. Associated with the Play ransomware group, possibly acting as an Initial Access Broker (IAB) or partner.
## Activity Summary
Launching financially motivated attacks against companies in the United States. Recent activity in August 2024 involved attacks against three U.S. private companies. They appear to be shifting from custom ransomware to leveraging the infrastructure of the Play ransomware group. Demonstrated collaboration with an underground ransomware network.
## Tactics, Techniques & Procedures
- Used unique credentials, including a fake “Tableau” certificate, for access.
- Deployed custom backdoors: Preft (file download/upload, command execution, plugin support) and Nukebot (command execution, file transfer, screenshot capabilities).
- Utilized open-source/publicly available tools: Sliver, Chisel, PuTTY, Megatools.
- Employed two types of keyloggers: one stealing clipboard data and recording specific program inputs; the second recording clipboard data to a random DAT file.
- Used a malicious batch file to activate plaintext credentials.
- Extracted credentials using Mimikatz.
- Propagated Sliver and DTrack malware via the SMB protocol.
- Used `secretsdump.py` (from Impacket) for credential harvesting.
- Deployed Play ransomware following Sliver beacon activity.
## Targeting
- Sectors: Private companies.
- Geography: United States.
- Victims: Three unnamed U.S. private companies in August 2024.
## Tools & Infrastructure
- Malware families used: Preft (backdoor), Nukebot (backdoor), Sliver (beacon), DTrack, Play ransomware.
- Infrastructure: Sliver C2 server (went offline immediately after ransomware deployment).
## Implications
The shift to leveraging Play ransomware infrastructure confirms a move towards organized ransomware operations, potentially indicating an expanded role as an IAB or ransomware affiliate for North Korean efforts.
## Mitigations
- Monitor for unauthorized use of Tableau certificates for access.
- Implement rigorous monitoring for Preft and Nukebot activity indicators.
- Scrutinize SMB traffic for DTrack and Sliver propagation.
- Enhance detection for credential harvesting tools like Mimikatz and Impacket modules.
- Review processes for validating RDP/broker activity if Play ransomware is a concern.
---
# Threat Actor: APT28
## Attribution & Identity
Referred to as APT28. Based on associated activities, this actor is generally attributed to Russia/GRU, though not explicitly stated in this section.
## Activity Summary
Attacks noted by 360 involving malware like Headlace and Masepie. Also involved in a sophisticated phishing campaign targeting a Ukrainian government agency, utilizing a spoofed Google spreadsheet link to execute PowerShell commands, leading to data exfiltration via an SSH tunnel. Exploited Roundcube vulnerability (CVE-2023-43770) in September 2024 to steal email credentials and implement email forwarding filters.
## Tactics, Techniques & Procedures
- Primary initial access method: LNK files disguised as Windows updates or document icons.
- Execution mechanism: DLL hijacking to prompt BAT file execution.
- Malware deployment: Headlace initiated via a compressed file containing CMD/BAT files.
- Persistence/Command & Control: Masepie uses PowerShell scripts executed via LNK files to gain persistent control, gather system info, and receive remote commands.
- Phishing unique technique: Link displayed as a Google spreadsheet that prompts the user to click an "I'm not a robot" reCAPTCHA checkbox, which copies a malicious PowerShell command to the clipboard for the user to execute.
- Data exfiltration: Establishment of an SSH tunnel (via executed script) to leak browser authentication data.
- Post-compromise actions: Downloaded and executed Metasploit.
- Email compromise: Exploited Roundcube CVE-2023-43770, created a "SystemHealthCheck" filter to automatically forward victim email to the actor's address.
- Geofencing strategy utilized to increase success rates in targeted regions.
## Targeting
- Sectors: Government agencies (specifically Ukrainian government agency mentioned), defense-related organizations (via secondary email distribution).
- Geography: Specific regions targeted via geofencing; Ukraine mentioned specifically.
- Victims: Ukrainian government agency; over 10 compromised government email accounts.
## Tools & Infrastructure
- Malware families used: Headlace, Masepie.
- Post-compromise tools: Metasploit.
- Infrastructure: Used the same server for C&C infrastructure across multiple incidents.
## Implications
APT28 continues to leverage sophisticated social engineering techniques (LNK hijacking, reCAPTCHA mimicry) alongside known application vulnerabilities (Roundcube) to achieve persistent access within sensitive government networks and harvest credentials.
## Mitigations
- Implement strict application control policies to restrict execution via LNK files or DLL hijacking vectors.
- Harden email gateways against spoofed links and credential harvesting techniques disguised as CAPTCHAs.
- Patch vulnerable Roundcube installations immediately (CVE-2023-43770).
- Audit mail server filters for suspicious automated forwarding rules targeting harvested accounts.
---
# Threat Actor: APT29 (Midnight Blizzard)
## Attribution & Identity
Russia-based threat group APT29 (also known as “Midnight Blizzard” according to Microsoft).
## Activity Summary
Conducting a large-scale spear-phishing campaign targeting government organizations, academic institutions, defense contractors, and non-profits across multiple allied nations since October 22, 2024. They are leveraging stolen Microsoft or cloud service provider accounts to send malicious emails.
## Tactics, Techniques & Procedures
- Initial access: Spear-phishing emails sent from compromised cloud service/Microsoft accounts.
- Novel delivery mechanism: Including a signed Remote Desktop Protocol (RDP) configuration file (.rdp) as an attachment.
- Execution: When the recipient opens the RDP file, they are automatically connected to a malicious server, facilitating resource sharing (files, drives, peripheral access) and capturing web authentication credentials.
- Persistence: Ability to install malware during the session for continuous access post-session termination.
## Targeting
- Sectors: Government organizations, defense, academia, and non-profit sectors.
- Geography: UK, Europe, Australia, and Japan.
- Victims: Unspecified organizations within the targeted sectors in the named geographies.
## Tools & Infrastructure
- Compromised Microsoft/cloud service provider accounts for sending emails.
- Malicious servers used for RDP connections.
- **Note:** Specific malware families were not listed in this description, but RDP files were the primary access mechanism.
## Implications
This marks a significant operational shift for APT29, moving from traditional document-based spear-phishing to leveraging legitimate configuration files (RDP) to establish network presence, indicating an advanced effort to bypass modern endpoint detection focused on file execution.
## Mitigations
- Enhance scrutiny of incoming RDP configuration files received via email, even if appearing benign or signed.
- Implement network segmentation to limit the scope of lateral movement supported by established RDP sessions.
- Increase monitoring for unusual RDP connection attempts originating from compromised user accounts.
- Reinforce controls around cloud service provider and Microsoft account access security.