Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management

Chinese Hacking Group Rebounds With Fresh Malware

Researchers: TA416 Ramping Up Phishing Emails Targeting Diplomatic Missions
Chinese Hacking Group Rebounds With Fresh Malware

A Chinese advanced persistent threat group has recently begun ramping up its activities with a new phishing campaign leveraging updated malware that’s targeting diplomatic missions around the world to collect data and monitor communications, according to security firm Proofpoint.

The hacking group, called TA416, is deploying an updated version of the PlugX remote access Trojan recently rewritten in the Golang programming language. This variant appears designed to help avoid detection by security tools and better hide the attackers' espionage activity, according to Proofpoint.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

TA416, also known as Mustang Panda and RedDelta, has targeted diplomatic missions and organizations around the world that have dealings with China's government. In July, The New York Times reported the hacking group had targeted the IT infrastructure of the Vatican.

The hacking group has also targeted other organizations, such as think tanks, in the U.S., Southeast Asia and Africa, according to previous research. Earlier this year, it deployed emails with COVID-19 themes as lures (see: Nation-State Hackers Using COVID-19 Fears to Spread Malware).

Proofpoint researchers say the attacks observed since September are a continuation of a campaign spotted in June by security firm RiskIQ.

"This new activity appears to be a continuation of previously reported campaigns that have targeted entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar," according to Proofpoint. "The targeting of organizations conducting diplomacy in Africa has also been observed."

Malware Update

The Proofpoint researchers found that TA416 recently updated its version of PlugX malware by rewriting part of it in Golang. Other hacking groups have used versions of the remote access Trojan (see: Chinese Hacking Group Using Fresh DLL Side-Loading Attack).

PlugX can help attackers maintain persistence within devices or networks. It can also locate and steal files as well as act as a keylogger, according to researchers with Trend Micro.

The Proofpoint researchers could not identify the initial attack vector being used to deliver PlugX to victims in the most recent campaign. But TA416 has previously used phishing emails that have embedded malicious Google Drive or Dropbox links to deploy the code, according to the report.

How the revamped PlugX malware works (Source: Proofpoint)

In the most recent attacks, TA416 is using two RAR compression files to hide the malware. If these files are opened, four other files are opened within the host devices and the PlugX Trojan is then installed, according to the report.

In some cases, legitimate files are used to help hide and then decrypt the malware as an obfuscation technique. The Proofpoint researchers also found command-and-control servers for the most recently discovered campaign share IP addresses with previous campaigns associated with TA416.

"The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools, and it demonstrates adaptation in response to publications regarding their campaigns," according to the report. "These tool adjustments, combined with recurrent command and control infrastructure revisions, suggests that TA416 will persist in their targeting of diplomatic and religious organizations."

Phishing Emails

Most of the phishing emails in the latest campaign appear to have been sent between Sept. 16 and Oct. 10, according to the report. These messages use social engineering lures, such as a reference to a renewed provisional agreement announced in September between the Vatican Holy See and the Chinese Communist Party, as a way to entice a victim to open the malicious message.

"Additionally, a spoofed email header from fields were observed that appear to imitate journalists from the Union of Catholic Asia News," according to the report. "This confluence of themed social engineering content suggests a continued focus on matters pertaining to the evolving relationship between the Catholic Church and the [Chinese Communist Party]."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.