TA416

Industry: N/A | Level: Tactical | Source: Proofpoint

Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place. A new technique was identified in the group's phishing campaigns. Initially, the threat group utilizes web bugs to profile victims to provide a "sign of life," indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging "email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service." The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.

• Anvilogic Use Cases:
• Compressed File Execution
• Executable File Written to Disk
• Suspicious File written to Disk