An
overview
of
the
activities
of
selected
APT
groups
investigated
and
analyzed
by
ESET
Research
in
Q4 2022
and
Q1 2023
ESET
APT
Activity
Report
Q4
2022–Q1
2023
summarizes
the
activities
of
selected
advanced
persistent
threat
(APT)
groups
that
were
observed,
investigated,
and
analyzed
by
ESET
researchers
from
October
2022
until
the
end
of
March
2023.
Attentive
readers
will
notice
that
a
small
portion
of
the
report
also
mentions
some
events
previously
covered
in
APT
Activity
Report
T3
2022.
This
stems
from
our
decision
to
release
this
report
on
a
semi-annual
basis,
with
the
current
issue
encompassing
Q4
2022
and
Q1
2023,
while
the
forthcoming
edition
will
cover
Q2
and
Q3
2023.
In
the
monitored
timeframe,
several
China-aligned
threat
actors
focused
on
European
organizations,
employing
tactics
such
as
the
deployment
of
a
new
Ketrican
variant
by
Ke3chang,
and
Mustang
Panda’s
utilization
of
two
new
backdoors.
MirrorFace
targeted
Japan
and
implemented
new
malware
delivery
approaches,
while
Operation
ChattyGoblin
compromised
a
gambling
company
in
the
Philippines
by
targeting
its
support
agents.
India-aligned
groups
SideWinder
and
Donot
Team
continued
to
target
governmental
institutions
in
South
Asia
with
the
former
targeting
the
education
sector
in
China,
and
the
latter
continued
to
develop
its
infamous
yty
framework,
but
also
deployed
the
commercially
available
Remcos
RAT.
Also
in
South
Asia,
we
detected
a
high
number
of
Zimbra
webmail
phishing
attempts.
In
the
Middle
East,
Iran-aligned
group
MuddyWater
stopped
using
SimpleHelp
during
this
period
to
distribute
its
tools
to
its
victims
and
shifted
to
PowerShell
scripts.
In
Israel,
OilRig
deployed
a
new
custom
backdoor
we’ve
named
Mango
and
the
SC5k
downloader,
while
POLONIUM
used
a
modified
CreepySnail.
North
Korea-aligned
groups
such
as
ScarCruft,
Andariel,
and
Kimsuky
continued
to
focus
on
South
Korean
and
South
Korea-related
entities
using
their
usual
toolsets.
In
addition
to
targeting
the
employees
of
a
defense
contractor
in
Poland
with
a
fake
Boeing-themed
job
offer,
Lazarus
also
shifted
its
focus
from
its
usual
target
verticals
to
a
data
management
company
in
India,
utilizing
an
Accenture-themed
lure.
Additionally,
we
also
identified
a
Linux
malware
being
leveraged
in
one
of
their
campaigns.
Russia-aligned
APT
groups
were
especially
active
in
Ukraine
and
EU
countries,
with
Sandworm
deploying
wipers
(including
a
new
one
we
call
SwiftSlicer),
and
Gamaredon,
Sednit,
and
the
Dukes
utilizing
spearphishing
emails
that,
in
the
case
of
the
Dukes,
led
to
the
execution
of
a
red
team
implant
known
as
Brute
Ratel.
Finally,
we
detected
that
the
previously
mentioned
Zimbra
email
platform
was
also
exploited
by
Winter
Vivern,
a
group
particularly
active
in
Europe,
and
we
noted
a
significant
drop
in
the
activity
of
SturgeonPhisher,
a
group
targeting
government
staff
of
Central
Asian
countries
with
spearphishing
emails,
leading
to
our
belief
that
the
group
is
currently
retooling.
Malicious
activities
described
in
ESET
APT
Activity
Report
Q4
2022–Q1
2023
are
detected
by
ESET
products;
shared
intelligence
is
based
mostly
on
proprietary
ESET
telemetry
and
has
been
verified
by
ESET
Research.
Countries,
regions
and
verticals
affected
by
the
APT
groups
described
in
this
report
include:
Targeted countries and regions |
---|
Australia Bangladesh Bulgaria Central Asia China Egypt Europe Hong Kong India Israel Japan Namibia Nepal Pakistan The Philippines Poland Saudi Arabia South Korea Southwest Asia Sri Lanka Sudan Taiwan Ukraine The United Kingdom The United States |
Targeted business verticals |
---|
Data management companies Defense contractors Diplomats Educational institutions Energy sector Financial services Gambling companies Governmental organizations Healthcare Hospitality Media Research institutes |
ESET
APT
Activity
Reports
contain
only
a
fraction
of
the
cybersecurity
intelligence
data
provided
in
ESET
APT
Reports
PREMIUM.
For
more
information,
visit
the ESET
Threat
Intelligence website.
Follow ESET
research
on
Twitter for
regular
updates
on
key
trends
and
top
threats.