Chinese hackers distribute Trojans in European embassies

[ad_1]

cyberespionage cybersquatting cybercriminals covid-19 security career cyberattacks social engineering void balaur hacking an organization chinese hackers

Proofpoint’s cybersecurity research team has released a new threat report identifying a group of Chinese hackers what has intensified its activity against entities in Europe during the escalation of the war in Ukrainelaunching malicious email campaigns to distribute malware.

hacker group, TA416 (also called RedDelta), is known to be aligned with the Chinese state and has been targeting Europe for years. Proofpoint has been following this group since 2020, and there has been a notable increase in the number of attacks since Russian troops began massing on the Ukrainian border.

More recently, TA416 began to use the compromised email address of a diplomat from a European NATO country to send messages to diplomatic offices of different countries. The individuals he was addressing worked at services for refugees and migrants.
TA416 campaigns have used web bugs to profile their victims before sending them malware. This indicates to the attacker that the targeted account is valid, and that the victim is likely to open emails that contain socially engineered content. This suggests that TA416 is more demanding with its objectives and could be an attempt to prevent their malicious tools from being discovered and made public.
Campaigns include malicious links and documents related to border movements of Ukrainian refugeeswith the objective of deliver malware called PlugX to victims. PlugX is a RAT (Remote Access Trojan) that, once installed, can be used to fully control the victim’s equipment.

A group of Chinese hackers that has intensified its activity against entities in Europe during the escalation of the war in Ukraine

“The use of the web bug reconnaissance technique suggests that TA416 is being more picky about the targets it chooses to deliver malware payloads to.”, say Proofpoint researchers. “Historically, the group would send web bug URLs along with malware URLs to confirm receipt. In 2022, the group began profiling users first, then submitting malware URLs. This may be an attempt by TA416 to prevent its malicious tools from being discovered and disclosed. By narrowing the target of broad phishing campaigns to focus on targets that have proven to be active and willing to open the emails, TA416 increases its chances of success in tracking down malware payloads.”.