TA416 (aka red Delta), a China-supported group, was observed targeting European diplomatic entities involved in refugee and migrant services. The group took advantage of web bugs to profile its targets.

The ongoing attacks

According to ProofPoint, threat actors' interests in refugee logistics and policies coincide with the ongoing armed conflict between Russia and Ukraine.
  • The campaign uses web bugs to profile the victims and send a variety of PlugX malware payloads through malicious URLs.
  • The group updated its PlugX variant and changed its encoding method by expanding configuration capabilities.
  • An analysis of the delivered payloads and genuine resources obtained from URLs by the first stage malware dropper reveals that the threat group is using an updated version of PlugX malware.

PlugX’s new version

The new updated version comes with three additional fields that did not exist in any of its previous versions.
  • The first change is two hardcoded dates for the latest write time used to filter over files in a specific directory.
  • The second is minimum and maximum file size to filter over files within a specified directory.
  • The third is the format string that defaults to public/Publics and modifies characteristics of the folder and hides from the infected user.

Attribution to TA416

The operator identified in recent campaigns delivering PlugX malware is the same as previously observed in the TA416/ Red Delta campaign of 2020. 
  • Researchers observed repetition of web bug patterns and consistent victimology in 2020, 2021, and 2022 campaigns.
  • Further, the campaign had used an identical file naming structure between PDF and Zip decoy files, along with highly similar Trident Loader TTPs being used for the execution of PlugX malware.

Concluding notes

The campaign against European diplomatic entities reflects the geopolitical interest of the TA416 group. Besides, the group has been making rapid and staggering updates to their PlugX toolkit, which could be a matter of concern to its future targets. Organizations should stay alert and check their security posture against such crimes to stay safe.
Cyware Publisher

Publisher

Cyware