Chinese hackers target Christian targets with new malware variant

Hacker Typing
(Image credit: Shutterstock)

Researchers from Proofpoint have observed the APT actor TA416 resuming its malicious activity with a new malware variant following a brief respite which coincided with the Chinese National Day holiday back in September.

TA416, also known as “Mustang Panda” and “Red Delta”, is a Chinese APT (advanced persistent threat) group that uses its PlugX malware loader in targeted campaigns. The group is known for modifying its toolset to evade detection and make analysis by security researchers difficult.

Proofpoint has observed new phishing activity by TA416 which targeted entities associated with diplomatic relations between the Vatican and the Chinese Communist Party (CCP). The group also targeted entities in Myanmar as well as organizations conducting diplomacy efforts in Africa.

TA416's latest phishing campaign uses social engineering lures which reference the provisional agreement known as the Vatican Holy See which was recently renewed between the Vatican and the CCP. Spoofed email header fields were also discovered that appeared to imitate journalists from the Union of Catholic Asia News.

PlugX malware

Proofpoint researchers have identified two RAR archives which serve as PlugX malware droppers. Historically TA416 adds either Google Drive or Drobox URLs to its phishing emails that are used to deliver archives containing PlugX malware and related components.

As reported by ThreatPost, the PlugX remote access tool (RAT) allows a remote user to steal data and even take control of affected systems without permission or authorization. PlugX gives an attacker the ability to copy, move, rename, execute and delete files as well as log keystrokes, fingerprint the infected system and more.

This time around though, Proofpoint identified TA416's PlugX malware as a Golang binary. This file type has not been previously used by the group but the malware's functionality remains basically the same.

The Proofpoint Research Team provided further insight on their findings in a new report, saying:

“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns. These tool adjustments combined with recurrent command and control infrastructure revision suggests that TA416 will persist in their targeting of diplomatic and religious organizations.”

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.