Operation DevilTiger, APT Hackers 0-Day Exploitation Tactics Exposed

The APT-Q-12 group, also known as Pseudo Hunter, is a Northeast Asian threat actor linked to Darkhotel, which primarily targets East Asian countries, including China, North Korea, Japan, and South Korea. 

They employ sophisticated techniques to infiltrate systems and steal sensitive data by use of various plug-ins, such as Durain and Peach, demonstrating their adaptability and ability to tailor their attacks to specific targets.

APT-Q-12 employs sophisticated email probes to gather information about potential victims, including their email platforms, devices, and office software. 

By embedding malicious content in emails disguised as advertisements or subscriptions, the attackers capture user-agent information to identify email brands and platforms. 

To differentiate between WPS and Word, they utilize web control objects in mhtml files and template injection techniques and the collected information is shared among APT groups in Northeast Asia to facilitate targeted zero-day attacks.

It exploited a 0-day vulnerability in a Win platform mail client, likely using an XSS attack.

The email triggered a malicious script hidden within the title field that downloaded a weaponized LNK file disguised as an image. 

The report says that this LNK dropped a Trojan called s.mui, which checked out the system settings and downloaded another payload called ~StaticCache-System.dat. This one set up persistence through COM hijacking and then got a second payload called MMDevAPI.mui, which is a known APT-Q-12 remote access tool.

The attackers also deployed a suite of plugins for espionage, including keylogging, browser steganography for credential theft, screenshot capture, and a reverse tunneling tool for data exfiltration.

The 0-day vulnerability in the Android platform mail client exploited by APT-Q-14 leverages a ClickOnce attack vector to execute malicious code within attachments. 

By parsing an XSS vulnerability in the mail structure, the attacker triggers the execution of the internal interface, leading to the execution of the malicious program (0o0o.apk), which establishes a connection with a C2 server for long-term control of the target device, downloading a payload that reads and uploads email data to the C2 domain. 

The attack aims to spy on information related to trade between China and North Korea, which highlights the advanced cyber capabilities of attackers in the Korean Peninsula and the potential for significant impacts on both sides and neighboring countries.

The QiAnXin Threat Intelligence Center provides threat intelligence data that is used in their security products to identify malicious activity, which includes indicators of compromise (IOCs), such as MD5 hashes and URLs. 

The MD5 hashes can be used to identify specific malware files, while the URLs are known to be malicious, while the security products can also detect communication with command and control (C2) servers, although a specific IP address mentioned is no longer active.  

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!