The TA416 advanced persistent threat (APT) actor is back with a vengeance: After a month of inactivity, the group was spotted launching spear-phishing attacks with a never-before-seen Golang variant of its PlugX malware loader.
TA416, which is also known as “Mustang Panda” and “RedDelta,” was spotted in recent campaigns targeting entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar (all of these are previously reported campaigns). The group was also spotted recently targeting organizations conducting diplomacy in Africa.
In further analysis of these attacks, researchers found the group had updated its toolset — specifically, giving its PlugX malware variant a facelift. The PlugX remote access tool (RAT) has been previously used in attacks aimed at government institutions and allows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.
“As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection,” said researchers with Proofpoint, in a Monday analysis. “While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution of malware components independent from the infection chain more challenging for researchers.”
Renewed Attacks
After nearly a month of inactivity (following previous threat research) by TA416, researchers observed “limited signs” of renewed spear-phishing activity from Sept. 16 to Oct. 10. Of note, this time period included the Chinese national holiday (National Day), and a following unofficial vacation period (“Golden Week”), said researchers.
These more recent spear-phishing attempts included a (continued) utilization of social-engineering lures that allude to the provisional agreement recently renewed between the Vatican Holy See and the Chinese Communist Party (CCP). Researchers with Recorded Future previously uncovered this campaign and said that it came during the September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, called the China-Holy See deal. Proofpoint researchers said they also observed the threat group leveraging a spoofed email header in spear-phishing messages during this time, which appear to imitate journalists from the Union of Catholic Asia News.
“This confluence of themed social-engineering content suggests a continued focus on matters pertaining to the evolving relationship between the Catholic Church and the CCP,” said researchers.
While some of these campaigns were previously reported on, further investigation into the attacks revealed a brand new variant of TA416’s PlugX malware loader.
PlugX Malware
Upon closer investigation, researchers identified two RAR archives which serve as PlugX malware droppers.
Researchers said, the initial delivery vector for these RAR archives could not be identified, “however, historically TA416 has been observed including Google Drive and Dropbox URLs within phishing emails that deliver archives containing PlugX malware and related components,” they said.
One of these files was found to be a self-extracting RAR archive. Once the RAR archive is extracted four files are installed on the host and the portable executable (PE) Adobelm.exe is executed.
Adobelm.exe is a legitimate Adobe executable that is used for the dynamic link library (DLL) side-loading of hex.dll. It calls an export function of hex.dll, called CEFProcessForkHandlerEx.
“Historically, TA416 campaigns have used the file name hex.dll and the same PE export name to achieve DLL side-loading for a Microsoft Windows PE DLL,” said researchers. “These files served as loaders and decryptors of encrypted PlugX malware payloads.”
This malware loader was identified as a Golang binary; Researchers said they have not previously observed this file type in use by TA416. Go is an open source programming language.
“Both identified RAR archives were found to drop the same encrypted PlugX malware file and Golang loader samples,” they said.
Despite the file type of the PlugX loader changing, the functionality remains largely the same, said researchers.
The file reads, loads, decrypts and executes the PlugX malware payload. The PlugX malware then ultimately calls out to the command and control (C2) server IP, 45.248.87[.]162. Researchers said that continued activity by TA416 demonstrates a persistent adversary making continual changes to documented toolsets.
“The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns,” according to Proofpoint. “These tool adjustments combined with recurrent command and control infrastructure revision suggests that TA416 will persist in their targeting of diplomatic and religious organizations.”