Chinese TA416 Exemplifies Persistence with Modifications to its Toolsets

After a month of inactivity, the TA416 APT actor raised its head lurking again. Also known as Mustang Panda and RedDelta, the group has been observed making incremental changes to its documented toolsets to launch espionage campaigns against global targets.

Renewed attacks

According to Proofpoint researchers, the group has been persistent in targeting diplomatic and religious organizations associated with diplomatic relations, as well as entities in Africa and Myanmar.
  • TA416 hackers have been observed launching spear-phishing attacks by leveraging social-engineering lures and spoofed emails (purported to be from the Union of Catholic Asia News) to deliver a new Golang variant of PlugX malware loader.
  • The hackers have leveraged themed social-engineering content such as the recent renewal of the provisional agreement between the Vatican Holy See and the Chinese Communist Party, called the China-Holy See deal.

Recent incidents

Since early May, the TA416 group has been consistently launching targeted cyberattacks against Vatican and Catholic organizations.
  • In September, with the use of spear-phishing emails laced with the PlugX remote access tool (RAT) as the payload, the group had targeted network intrusions impacting several entities in India, Indonesia, Myanmar, Hong Kong, and Australia.
  • In the same month, theTA416 group had impersonated Taiwan's Ministry of Health and Welfare for which Taiwan's CERT issued an alert.
  • In July, in a series of suspected network intrusions, the TA416 group had targeted the Vatican and the Catholic Diocese of Hong Kong, the Hong Kong Study Mission to China, and the Pontifical Institute for Foreign Missions (PIME), Italy.

Conclusion

The TA416 hacker group has continued encryption efforts for PlugX payloads combined with recurrent command and control infrastructure revision to remain effective. Furthermore, the group’s automated detection and independent execution of malware components from the infection chain indicates that it is planning to continue its attack in the future as well, and users and security agencies need to stay alert and take precautions against this threat.