An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024.
ESET APT Activity Report Q2 2024–Q3 2024 summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from April 2024 until the end of September 2024. The highlighted operations are representative of the broader landscape of threats we investigated during this period, illustrating the key trends and developments, and contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports.
During the monitored period, we observed a notable expansion in targeting by MirrorFace. Typically focused on Japanese entities, it extended its operations to include a diplomatic organization in the European Union (EU) for the first time while continuing to prioritize its Japanese targets. Additionally, APT groups have been relying increasingly on the open-source and multiplatform SoftEther VPN to maintain access to victims’ networks. We detected extensive use of SoftEther VPN by Flax Typhoon, observed Webworm switching from its full-featured backdoor to using the SoftEther VPN Bridge on machines of governmental organizations in the EU, and noticed GALLIUM deploying SoftEther VPN servers at telecommunications operators in Africa.
We also observed indications that APT groups might be leveraging their cybercapabilities to support diplomatic espionage and, potentially, kinetic operations. These groups compromised several financial services firms in Africa, conducted cyberespionage against Iraq and Azerbaijan, and increased their interest in the transportation sector in Israel. Despite this seemingly narrow geographical targeting, APT groups maintained a global focus, also pursuing diplomatic envoys in France and educational organizations in the United States.
Threat actors persisted in stealing funds – both traditional currencies and cryptocurrencies and continued their attacks on defense and aerospace companies in Europe and the US, as well as targeting cryptocurrency developers, think tanks, and NGOs. One such group, Kimsuky, began abusing Microsoft Management Console files, which are typically used by system administrators but can execute any Windows command. Additionally, several groups frequently misused popular cloud-based services, including Google Drive, Microsoft OneDrive, Dropbox, Yandex Disk, pCloud, GitHub, and Bitbucket. For the first time, we saw an APT group – specifically ScarCruft – abusing Zoho cloud services.
We detected cyberespionage groups frequently targeting webmail servers such as Roundcube and Zimbra, usually with spearphishing emails that trigger known XSS vulnerabilities. Besides Sednit targeting governmental, academic, and defense-related entities worldwide, we identified another group, which we named GreenCube, stealing email messages via XSS vulnerabilities in Roundcube. Other groups continued to focus on Ukraine, with Gamaredon deploying large spearphishing campaigns while reworking its tools using and abusing the Telegram and Signal messaging apps. Sandworm utilized its new Windows backdoor, which we named WrongSens, and its advanced Linux malware: LOADGRIP and BIASBOAT. Additionally, we detected Operation Texonto, a disinformation and psychological operation primarily aimed at Ukrainians and Russians. We also analyzed the public hack-and-leak of the Polish Anti-Doping Agency, which we believe was compromised by an initial access broker who then shared access with the FrostyNeighbor APT group, the entity behind cyber-enabled disinformation campaigns critical of the North Atlantic Alliance. Finally, from analyzing an exploit found in the wild, we discovered a remote code execution vulnerability in WPS Office for Windows. We attribute the attack leveraging the exploit to the APT-C-60 group.
Malicious activities described in ESET APT Activity Report Q2 2024–Q3 2024 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website.
READ FULL REPORT HERE
by Jean-Ian Boutin, ESET
ESET Ireland 