China-based APT Debuts Sepulcher Malware in Spear-Phishing Attacks

Sepulcher malware

The RAT has been distributed in various campaigns over the past six months, targeting both European officials and Tibetan dissidents.

A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.

Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.

“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”

Two Campaigns

In March, researchers observed a phishing campaign that impersonated the World Health Organization’s guidance on COVID-19 critical preparedness. The emails contained a weaponized RTF attachment that impersonated the WHO’s “Critical preparedness, readiness and response actions for COVID-19, Interim guidance” document. The guidance was initially published on March 7, while the weaponized attachment was delivered by threat actors on March 16, researchers said.

When a target clicks the weaponized RTF attachment (named “Covdi.rtf”), it exploits a Microsoft Equation Editor flaw in order to install an embedded malicious RTF object, in the form of a Windows meta-file (WMF), to a file directory (%\AppData\Local\Temp\wd4sx.wmf). The WMF file’s execution then results in the delivery and installation of the Sepulcher malware.

Sepulcher malware The second phishing campaign, starting at the end of July, targeted Tibetan dissidents with the same strain of Sepulcher malware.

The emails, which purported to come from the “Women’s Association Tibetan,” included a malicious PowerPoint attachment (titled “TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx”). The email was targeting dissidents, with the attachment, once opened, referencing “Tibet, Activism and Information.”

When the PowerPoint attachment is executed, it calls out to the IP 118.99.13[.]4 to download a Sepulcher malware payload named “file.dll.”

“The attachment title, decoy content, impersonated sender, and “Dalai Lama Trust in India”-themed C2 affirms this campaign’s focus on individuals associated with the Tibetan leadership in exile,” said researchers.

Sepulcher Malware

Sepulcher is a basic RAT payload that has the abilities to carry out reconnaissance functionality within the infected host, including obtaining information about the drives, file information, directory statistics, directory paths, directory content, running processes and services.

Sepulcher malware Additionally, it is capable of more active functionalities, like deleting directories and files, creating directories, moving file source to destination, spawning a shell to execute commands, terminating a process, restarting a service, changing a service start type and deleting a service.

Researchers said that the Sepulcher malware “is far from groundbreaking,” but noted its combination with timely social-engineering lures around the pandemic.

They also pointed out that the campaign is reminiscent of a July 2019 campaign that was used to distribute ExileRAT; the TA413 APT group has also previously been documented in association with this RAT. ExileRAT is a simple RAT platform capable of getting system data (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.

Shifting Focus: COVID-19

Chinese APT TA413 is previously known for targeting Tibetan dissidents, as it did in its July campaign, so the March attack shows the skyrocketing trend of Chinese APTs branching out and adopting COVID-19 lures in espionage campaigns during the first half of 2020.

Researchers said, following an initial interest from Chinese APTs in targeting intelligence on the response of western global economies during the pandemic, this campaign shows a “return to normalcy” in more recent months.

“The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest,” said researchers. “While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020, before resuming more conventional targeting later this year.”

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles