Top 5 Notorious Cyber Threat Groups Making Headlines (July 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant cyber threat groups that have recently been making headlines with their targeted attacks worldwide including hacker group Andariel striking with new EarlyRat malware, Charming Kitten APT group targeting macOS systems, Russian group Gamaredon launching phishing campaigns, FIN8 group attacking with BlackCat ransomware, and Lazarus APT group exploiting Windows IIS servers.

Read on to discover more…

1. North Korean hacker group Andariel strikes with new EarlyRat malware

Security analysts have identified a newly uncovered remote access trojan (RAT) named ‘EarlyRAT,’ associated with the Lazarus North Korean state-sponsored hacking group’s sub-group, Andariel. Andariel is known for using the DTrack modular backdoor to gather data from compromised systems. Recently, a North Korean group, potentially Andariel, was found using an updated version of DTrack to extract valuable intellectual property over two months. Security researchers have linked Andariel to the deployment of Maui ransomware, indicating a profit-focused approach.

The group employs EarlyRAT to gather system information from compromised devices and transmit it to their command and control (C2) server. Researchers discovered EarlyRAT during their investigation into an Andariel campaign, where they exploited the Log4j vulnerability to breach corporate networks. EarlyRAT is a straightforward tool that collects system data and executes commands on the compromised system, sharing similarities with MagicRAT, another Lazarus group tool. Notably, the observed activities involving EarlyRAT were associated with an inexperienced human operator, revealing typographical errors and lack of attention to detail, which aligned with previous incidents involving the Lazarus group.

2. Charming Kitten APT group expands tactics with NokNok malware

Security researchers report that the Charming Kitten APT group, also known as TA453, has adopted a new strain of malware called NokNok in a recent campaign targeting macOS systems. Departing from their previous method of using Word documents with macros, the group now uses LNK files to deploy their payloads. The hackers impersonate U.S. nuclear experts, employing social engineering tactics and phishing lures to target individuals with offers to review foreign policy drafts.

Once the targets are engaged, they receive a malicious link that leads to a password protected RAR archive hosting the NokNok malware. This backdoor enables the execution of remote commands and gathers system information. If the target is on macOS, a different approach is employed using a ZIP file disguised as a RUSI VPN app, ultimately delivering the NokNok payload. Charming Kitten’s adaptability and sophisticated tactics underscore the escalating threat of macOS-targeting malware campaigns.

3. Russian hacking crew Gamaredon exfiltrates data via phishing campaigns

Gamaredon, a Russia-linked threat actor with potential connections to the SBU Main Office in Crimea, has been observed conducting data exfiltration activities within an hour of initial compromise. The group employs phishing messages sent through hijacked accounts to gain access and utilizes the information-stealing virus GammaSteel to exfiltrate sensitive documents within 30 to 50 minutes. The targeted documents have extensions such as .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb.

Gamaredon continuously changes its strategies, using USB infection techniques for spreading, and employs various tools like Telegram and Telegraph for command-and-control, AnyDesk for remote access, and PowerShell scripts for session hijacking to bypass two-factor authentication (2FA). Despite lacking sophistication, the group’s persistence and adaptability make it a dangerous threat that has maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconnaissance and execute additional commands. According to researchers, Gamaredon’s relentless nature makes it a significant and ongoing risk.

4. FIN8 group uses modified Sardonic backdoor for ransomware attacks

The financially motivated threat actor FIN8 has recently revamped its malware arsenal, deploying the infamous BlackCat ransomware through an updated version of their Sardonic backdoor. The group has been continuously enhancing their capabilities and refining their malware delivery infrastructure, introducing a new variant of the Sardonic backdoor with significant modifications. Unlike previous versions, this updated variant uses a PowerShell script to infect targeted systems, allowing for more stealthy operations and evasion of detection. The backdoor code has undergone major structural changes, transitioning from C++ standard library support to a plain C implementation, further aiding in evasion.

The backdoor now supports three different formats, including PE DLL plugins and various shellcodes, enabling the attackers to carry out a diverse range of malicious activities. Once successfully executed, the Sardonic backdoor becomes receptive to commands, enabling actions such as dropping arbitrary files, exfiltrating content, and executing additional shellcode. The threat actors’ relentless pursuit of financial gain is evident, as they adapt their tactics and expand into ransomware campaigns in addition to their specialization in POS attacks.

5. Lazarus APT group attacks Windows IIS web servers

The Lazarus APT group, backed by the North Korean state, has been found actively targeting Windows Internet Information Service (IIS) web servers using a sophisticated technique known as the watering hole approach. Security researchers discovered that Lazarus gains initial access by compromising Korean websites and manipulating their content, exploiting a vulnerability in INISAFE CrossWeb EX V6. When vulnerable users visit these sites, the Lazarus malware (SCSKAppLink.dll) is stealthily installed via the INISAFECrossWebEXSvc.exe vulnerability.

To escalate privileges, Lazarus employs JuicyPotato malware cleverly packed with Themida. Once inside the targeted systems, the “SCSKAppLink.dll” malware is installed, serving as a downloader for fetching additional malware from external sources. Lazarus has been linked to significant cyber incidents, including the JumpCloud breach and the theft of over $35 million in cryptocurrency from Atomic Wallet. Their persistent and sophisticated nature warrants increased vigilance from the cybersecurity community to effectively counter their activities.

Key recommendations to combat cyber risks:

• Stay vigilant about software vulnerabilities and promptly apply patches and updates, especially for critical components like Log4j.
• Regularly update operating systems, applications, and security software to patch vulnerabilities and protect against known exploits.
• Deploy robust firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation to minimize the impact of potential breaches.
• Deploy advanced email filtering and anti-phishing solutions to block malicious attachments, URLs, and suspicious email content.
• Conduct regular security awareness training to educate employees about the risks associated with phishing attacks, social engineering techniques, and the importance of exercising caution when interacting with unknown or suspicious emails.
• Strengthen authentication mechanisms by implementing multi-factor authentication (MFA) wherever possible, as an extra layer of security.
• Implement comprehensive network monitoring tools to detect suspicious activities, anomalies, and unauthorized connections.
• Deploy endpoint protection solutions that can detect and block malware, including advanced persistent threats (APTs).
• Restrict access to sensitive data and systems only to authorized personnel and employ the principle of least privilege to minimize potential damage in case of a breach.
• Develop a well-defined incident response plan that outlines the steps to be taken in case of a cybersecurity incident. Regularly test and update the plan to ensure its effectiveness.