ESET Research, Threat Reports

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024

07 November 2024
•
,
3 minutes reading

The ESET APT Activity Report Q2 2024–Q3 2024 summarizes notable activities of selected advanced persistent threat groups (APTs) that were documented by ESET researchers from April 2024 to the end of September 2024. The highlighted operations are representative of the broader threat landscape which I investigated. during this period, illustrating key trends and developments, and contains only a portion of the cybersecurity intelligence data provided to customers in ESET’s private APT reports.

During the monitored period, we observed a notable expansion of targeting by MirrorFace aligned to China. Usually focused on Japanese entities, it expanded its operations to include a European Union (EU) diplomatic organization for the first time, continuing to prioritize its Japanese targets. Additionally, China-aligned APT groups have increasingly relied on the open-source, cross-platform SoftEther VPN to maintain access to victims’ networks. We detected widespread use of SoftEther VPN by Flax Typhoon, noticed Webworm switching from its full-featured backdoor to using SoftEther VPN Bridge on EU government organization machines, and noticed GALLIUM deploying SoftEther VPN servers at operators of telecommunications in Africa.

We have also seen indications that Iran-aligned groups may be using their cyber capabilities to support diplomatic espionage and possibly kinetic operations. These groups have compromised several financial services firms in Africa – a geopolitically important continent for Iran; carried out cyber espionage against Iraq and Azerbaijan, neighboring countries with which Iran has complex relations; and increased their interest in the transport sector in Israel. Despite this seemingly narrow geographic targeting, Iran-aligned groups have maintained a global focus, also targeting diplomatic envoys in France and educational organizations in the United States.

Threat actors aligned with North Korea have persisted in promoting the goals of their regime, which has been accused by the United Nations and South Korea of ​​stealing funds — both traditional and cryptocurrency — to support its weapons of mass destruction programs . These groups have continued their attacks on defense and aerospace companies in Europe and the US, as well as targeting cryptocurrency developers, think tanks and NGOs. One such group, Kimsuky, began abusing Microsoft Management Console files, which are typically used by system administrators but can execute any Windows command. Additionally, several North Korea-aligned groups have frequently used popular cloud-based services, including Google Drive, Microsoft OneDrive, Dropbox, Yandex Disk, pCloud, GitHub, and Bitbucket. For the first time, we saw an APT group – specifically ScarCruft – abusing Zoho cloud services.

We have detected Russian-aligned cyberespionage groups frequently targeting webmail servers such as Roundcube and Zimbra, typically with spearphishing emails that trigger known XSS vulnerabilities. In addition to Sednit targeting government, academic, and defense-related entities around the world, we identified another Russian-aligned group, which we called GreenCube, that was stealing email messages via XSS vulnerabilities in Roundcube. Other Russian-aligned groups continued to focus on Ukraine, with Gamaredon running large spearphishing campaigns while retooling its tools using and abusing the Telegram and Signal messaging apps. Sandworm used the new Windows backdoor, which we called WrongSens, and its advanced Linux software: LOADGRIP and BIASBOAT. In addition, we detected Operation Texonto, a disinformation and psychological operation aimed primarily at demoralizing Ukrainians, while also targeting Russian dissidents. We also looked into the hack and public leak of the Polish Anti-Doping Agency, which we believe was compromised by an initial access broker who then shared access with the Belarus-aligned FrostyNeighbor APT group, the entity behind the campaigns of critical cyber disinformation. of the North Atlantic Alliance. Finally, from analyzing an exploit found in the wild, we discovered a remote code execution vulnerability in WPS Office for Windows. We attribute the exploit to the South Korea-aligned APT-C-60 group.

The malicious activities described in the ESET APT Activity Report Q2 2024–Q3 2024 are detected by ESET products; The shared intelligence is mainly based on ESET proprietary telemetry data and has been verified by ESET researchers.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT PREMIUM Reports. For more information, visit ESET Threat Intelligence website.

Follow ESET Research on Twitter for regular updates on key trends and top threats.