The current threat landscape is heavily focused on pandemic-themed social engineering lures.
A not-so groundbreaking spyware
Recently, Proofpoint researchers released an analysis report of a remote access trojan (RAT) dubbed Sepulcher.
- Sepulcher—linked to APT TA413—has seven work modes and many active functionalities, which make it a never-before-seen intelligence-collecting malware.
- The analysis reports two spear-phishing campaigns by the malware that targeted European officials and Tibetan dissidents.
- According to the report, attackers utilized publicly known Tibetan-themed sender accounts containing a malicious PowerPoint attachment to deliver Sepulcher malware.
- The phishing emails purported to come from the Tibetan Women’s Association and Dalai Lama Trust in India.
- In its March campaign, it launched spear-phishing emails containing a weaponized RTF attachment that impersonated the World Health Organization’s guidance on COVID-19 critical preparedness.
Roots of TA413
The TA413 group, previously associated with LuckyCat and ExileRAT malware, has been active for nearly a decade. Researchers believe that the recent campaigns are reminiscent of a July 2019 campaign that was used to distribute ExileRAT.
Other recent Chinese-APT attacks
In the not-so-distant past, Chinese threat actors have launched a multitude of attacks worldwide.
- In July 2020, a new Chinese hacker group had used spear-phishing emails to drop variants of Cobalt Strike and MgBot malware against individuals and organizations located in India and Hong Kong.
- In June 2020, an unknown Chinese threat actor was found targeting Myanmarese entities.
TA413 has been actively involved in cyber espionage activities and has been using several different tactics and techniques to lure its victims. Moreover, looking at the way state-sponsored APTs have been improving their TTPs, it can be expected that this group is also not planning to slow down its activities in the near future.