ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity

An
overview
of
the
activities
of
selected
APT
groups
investigated
and
analyzed
by
ESET
Research
in
Q4 2022
and
Q1 2023

ESET
APT
Activity
Report
Q4
2022–Q1
2023
summarizes
the
activities
of
selecte

ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity

An
overview
of
the
activities
of
selected
APT
groups
investigated
and
analyzed
by
ESET
Research
in
Q4 2022
and
Q1 2023

ESET
APT
Activity
Report
Q4
2022–Q1
2023
summarizes
the
activities
of
selected
advanced
persistent
threat
(APT)
groups
that
were
observed,
investigated,
and
analyzed
by
ESET
researchers
from
October
2022
until
the
end
of
March
2023.
Attentive
readers
will
notice
that
a
small
portion
of
the
report
also
mentions
some
events
previously
covered
in

APT
Activity
Report
T3
2022
.
This
stems
from
our
decision
to
release
this
report
on
a
semi-annual
basis,
with
the
current
issue
encompassing
Q4
2022
and
Q1
2023,
while
the
forthcoming
edition
will
cover
Q2
and
Q3
2023.

In
the
monitored
timeframe,
several
China-aligned
threat
actors
focused
on
European
organizations,
employing
tactics
such
as
the
deployment
of
a
new
Ketrican
variant
by
Ke3chang,
and
Mustang
Panda’s
utilization
of
two
new
backdoors.
MirrorFace
targeted
Japan
and
implemented
new
malware
delivery
approaches,
while
Operation
ChattyGoblin
compromised
a
gambling
company
in
the
Philippines
by
targeting
its
support
agents.
India-aligned
groups
SideWinder
and
Donot
Team
continued
to
target
governmental
institutions
in
South
Asia
with
the
former
targeting
the
education
sector
in
China,
and
the
latter
continued
to
develop
its
infamous
yty
framework,
but
also
deployed
the
commercially
available
Remcos
RAT.
Also
in
South
Asia,
we
detected
a
high
number
of
Zimbra
webmail
phishing
attempts.

In
the
Middle
East,
Iran-aligned
group
MuddyWater
stopped
using
SimpleHelp
during
this
period
to
distribute
its
tools
to
its
victims
and
shifted
to
PowerShell
scripts.
In
Israel,
OilRig
deployed
a
new
custom
backdoor
we’ve
named
Mango
and
the
SC5k
downloader,
while
POLONIUM
used
a
modified
CreepySnail.

North
Korea-aligned
groups
such
as
ScarCruft,
Andariel,
and
Kimsuky
continued
to
focus
on
South
Korean
and
South
Korea-related
entities
using
their
usual
toolsets.
In
addition
to
targeting
the
employees
of
a
defense
contractor
in
Poland
with
a
fake
Boeing-themed
job
offer,
Lazarus
also
shifted
its
focus
from
its
usual
target
verticals
to
a
data
management
company
in
India,
utilizing
an
Accenture-themed
lure.
Additionally,
we
also
identified
a
Linux
malware
being
leveraged
in
one
of
their
campaigns.
Russia-aligned
APT
groups
were
especially
active
in
Ukraine
and
EU
countries,
with
Sandworm
deploying
wipers
(including
a
new
one
we
call
SwiftSlicer),
and
Gamaredon,
Sednit,
and
the
Dukes
utilizing
spearphishing
emails
that,
in
the
case
of
the
Dukes,
led
to
the
execution
of
a
red
team
implant
known
as
Brute
Ratel.
Finally,
we
detected
that
the
previously
mentioned
Zimbra
email
platform
was
also
exploited
by
Winter
Vivern,
a
group
particularly
active
in
Europe,
and
we
noted
a
significant
drop
in
the
activity
of
SturgeonPhisher,
a
group
targeting
government
staff
of
Central
Asian
countries
with
spearphishing
emails,
leading
to
our
belief
that
the
group
is
currently
retooling.

Malicious
activities
described
in
ESET
APT
Activity
Report
Q4
2022–Q1
2023
are
detected
by
ESET
products;
shared
intelligence
is
based
mostly
on
proprietary
ESET
telemetry
and
has
been
verified
by
ESET
Research.

Countries,
regions
and
verticals
affected
by
the
APT
groups
described
in
this
report
include:

Targeted
countries
and
regions
Australia
Bangladesh
Bulgaria
Central
Asia
China
Egypt
Europe
Hong
Kong
India
Israel
Japan
Namibia
Nepal
Pakistan
The
Philippines
Poland
Saudi
Arabia
South
Korea
Southwest
Asia
Sri
Lanka
Sudan
Taiwan
Ukraine
The
United
Kingdom
The
United
States
Targeted
business
verticals
Data
management
companies
Defense
contractors
Diplomats
Educational
institutions
Energy
sector
Financial
services
Gambling
companies
Governmental
organizations
Healthcare
Hospitality
Media
Research
institutes

ESET
APT
Activity
Reports
contain
only
a
fraction
of
the
cybersecurity
intelligence
data
provided
in
ESET
APT
Reports
PREMIUM.
For
more
information,
visit
the ESET
Threat
Intelligence
 website.


Follow 
ESET
research
on
Twitter
 for
regular
updates
on
key
trends
and
top
threats.

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.