This latest malware attack proves you should never underestimate a cybercriminal. To a fraudster, scams and hacking are their business, and as such, they will do whatever it takes to improve revenue. Just like a legitimate business looks for good sales leads, so too, cybercriminals look for targets that are easy or lucrative or both. According to Europol’s Internet Organized Crime Threat Assessment (IOCTA), “cybercrime is becoming more aggressive and confrontational.” This latest phishing campaign known as TA416, is complicated, clever, and persistent.
Advanced and Persistent - TA416 on the Attack Again
TA416, a hacking group were behind campaigns nicknamed, “Mustang Panda” and “Red Delta”. These campaigns, attributed to the China-based group, are renowned for the innovative methods of malware delivery and speed at which the group took advantage of software exploits. The profile of this latest attack looks a lot like the same group, hence the attribution to TA416.
TA416 uses a clever blend of techniques to build an advanced persistent threat (APT) attack. The current research from Proofpoint shows that the current TA416 campaign focuses on specific targets. The researchers noting that these activities first occurred around the Chinese National holiday, “National Day” and the following national vacation period. In the past, the group has targeted the Vatican and the Chinese Communist Party. This recent campaign seems to be following a similar pattern, as phishing messages reference the agreement between the Vatican Holy See and the Chinese Communist Party “CCP” (China-Holy See)
The phishing campaigns use the following attack chain: Social engineering in the form of phishing emails with “China-Holy See” references to trick victims into believing this is a legitimate message. The email header and other fields are spoofed to look like journalists from the Union of Catholic Asia News. The method of delivery is, as yet, unascertained. However, TA416 is known to use Google Drive and Dropbox URLs within phishing emails. The use of known-brand malicious links in phishing emails is a common technique for delivering malware. A 2020 report from Datto found that ransomware malware, for example, was delivered by spoofing key brands. The top three brands identified in the report are:
- Office365 (64%)
- Dropbox (54%)
- Google Workspace (25%)
How TA416 Works
The TA416 malware uses PlugX as a key comment; PlugX facilitates a remote access tool (RAT) allowing the fraudsters to steal data and take control of affected systems, remotely, even without permission. The PlugX component is a very powerful malicious component in malware - it allows an attacker to manage and control files and documents, including deletion of data. It can also be used to log keystrokes, providing a means to steal login credentials
Importantly, to avoid detection of the malware, TA416 uses two RAR compression files. Once opened, four other files are initiated and the PlugX Trojan is installed. This technique is often used as a way to obfuscate malicious code. Proofpoint also identified the use of a command-and-control servers, used to share IP addresses used in previous TA416 campaigns.
One of the main concerns about this new phishing campaign is that the group, in upgrading the PlugX tool, shows adaptation to prevent detection by traditional anti-virus detection software. Cybercriminals will often change the way a campaign or malware works to avoid detection. Capitalizing on methods that work and improving those that don’t.
Make Cybercrime a Target
Cybercriminals are adept at changing tactics to ensure that targets remain fresh and detection difficult. Organizations the world over, of all sizes and types, are at risk of becoming the latest malware target. Instead, the enterprise must make cybercriminals a target and provide proactive solutions to prevent a cyber-threat from becoming an incident. Persistent threats, such as those delivered by TA416, can be prevented by using smart technologies. The malicious content delivered via email or website can be stopped using modern AI-enabled cloud-based DNS web filtering and email scanning solutions. These systems are designed to adapt to changes in cybercriminal activities that work using web-borne threats. By making cybercrime a target organizations can prevent itself from becoming a victim.